Active Directory - Non-Interactive Service Accounts

The Campus Active Directory service offers a fine-grained password policy for non-interactive "service" accounts. The policy offers a more convenient maximum password age to reduce the frequency of required password changes.

Requesting a Service Account

To create a non-interactive service account, follow these directions:

  • Create a user object for each service in your department's delegated Organizational Unit. When selecting a name for the user object, please follow the Campus Active Directory Naming Convention https://kb.wisc.edu/page.php?id=30600.
  • Make sure the account has at least a 12-character password
  • E-mail activedirectory@doit.wisc.edu with the following information:
    • Department Code
    • Name of the user object
  • A Campus Active Directory administrator will add the account to a special group with the fine-grained password policy. The account will be forced to change its password at next logon.

Best Practices for use of Service Accounts

Add the "Logon as a service" rights to a user account

  • Open Local Security Policy
  • In the console tree, double-click Local Policies, and then click User Rights Assignments
  • In the details pane, double-click Logon as a service
  • Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Logon as a service right

Add the "Logon as a service" rights to an account for a Group Policy Object (GPO)

  • Make sure your workstation or server is joined to the domain in which your users and GPO's reside
  • Click Start, point to Run, type mmc, and then click OK
  • On the File menu, click Add/Remove Snap-in
  • In Add/Remove Snap-in, click Add, and then, in Add Standalone Snap-in, double-click GPO Editor
  • In Select GPO, click Browse, browse to the GPO that you want to modify, click OK, and then click Finish
  • Click Close, and then click OK
  • In the console tree, click User Rights Assignment
  • In the details pane, double-click Logon as a service
  • If the security setting has not yet been defined, select the Define these policy settings check box
  • Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Logon as a service right

Set "Logon as Batch Job" Policy

  • On the Destination Server, click Start, click All Programs, and then click Administrative Tools
  • In the Adminstrative Tools menu, select Group Policy Management
  • In the Group Policy Management Console tree, click Forest:<servername>, and then click Domains
  • Click the name of your server, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit
  • In the Group Policy Management Editor, click Default Domain Controllers Policy<servername>Policy, expand Computer Configuration, and then click Policies
  • In the Policies tree, expand Windows Setting, and then click Security Settings
  • In the Security Settings tree, expand Local Policies, and then click User Rights Assignment
  • In the results pane, scroll to Logon as Batch Job, and then click Logon as a batch job
  • In the Logon as a batch job Properties dialog box, click Add User or Group
  • In the Add User or Group dialog box, click Browse
  • In the Select Users, Computers, or Groups dialog box, type Administrators
  • Click Check names to verify that the built-in Administrators group appears, and then click OK three times