Running a Windows service under a domain user account

windows domain password windows-service kerberos
41,720

Solution 1

Yes if you change the password. Then you have to update password for the service too.

Solution 2

As an addition, in Windows Server 2008 R2 (and Windows 7) there's a new (or two) service account type (Managed Service Account) which will manage the passwords for you.

Solution 3

Will the service now fail to start, until you update the password?

Yes. Which makes the 2nd question moot.

I usually disable password expiration for 'service' accounts, set them to an incredibly complex password, and disable their logon rights to every single machine and just add them to the local machine with whatever rights they require.

Solution 4

A service account running with the credentials of a domain account that has recently changed the account password will run into a problem only during a restart of that service. Since the server hasn't been updated with the new password your service will not be able to authenticate the service account credentials until you update the service properties with the correct password.

That being said, it is recommended that you use the SERVER\NETWORK SERVICE account for services that require domain level access. The NETWORK SERVICE account is actually an alias account linking to the DOMAIN\SERVERNAME directory object in Active Directory.

ex. ServerA\NETWORK SERVICE --> DOMAIN\ServerA

Imagine your server running the service is ServerA and the resource your service needs access to is ServerB. By configuring the service to use the ServerA\NETWORK SERVICE account will actually be running with the DOMAIN\ServerA account. This has an added benefit of the automated computer password change mechanism that takes place (by default) every 30 days, transparent to you or your service.

Also, if you need to grant permissions for your service to communicate to the resource server (ServerB) in the same forest you can simply edit the access permissions on the ServerB to grant access permissions to the DOMAIN\ServerA account (remember it is the actual account for the ServerA\NETWORK SERVICE account) and then all requests to the resource on ServerB will be performed using the credentials of the DOMAIN\ServerA account.

All that being said, the Managed Service Accounts in Windows 2008 (thanks for pointing that out Oskar) looks to be an even better way to handle service account needs!

Share:
41,720

Related videos on Youtube

BeeOnRope
Author by

BeeOnRope

Updated on September 17, 2022

Comments

  • BeeOnRope
    BeeOnRope almost 2 years

    If I run a Windows service on some host under a domain user account, and the password for this account changes at some later point, will the service now fail to start, until you update the password?

    If not, how are the credentials for the domain user account persisted on the machine running the service in a way that allows them to survive a password change?

  • Dscoduc
    Dscoduc over 14 years
    Why not just use the Network Service Account? That's what it's for...
  • Zypher
    Zypher over 14 years
    This may be a good approach for smaller enviroments, however it doesn't scale at all.
  • Dscoduc
    Dscoduc over 14 years
    Perhaps you could add some additional thoughts to your response...
  • aduljr
    aduljr over 14 years
    we used a non log-in enable account for running services on our servers. password was some sort of face smashing into kb and was set to never expire. It worked out well for us.
  • MrGigu
    MrGigu over 14 years
    @Dscoduc, because sometimes we want to disable a particular service account at an enterprise level
  • blank3
    blank3 over 14 years
    Nice answer. I'm curious too, what doesn't scale?
  • Dscoduc
    Dscoduc over 14 years
    +1 - Excellent comment Oskar - Managed Service Accounts is a new feature in Windows 2008 R2 that is easily overlooked. If you run services with domain accounts you should be looking into this new feature.
  • Koen
    Koen almost 13 years
    What if the service is still running? Does it continue until it is stopped once?
  • proy
    proy over 12 years
    Yes it keeps on running

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to exclude a user from an applied password policy
How to decrypt files on a Windows domain, without user account password?
What is needed to generate kerberos keytab file on windows?
How do I connect to a kerberos authenticated REST service in Python on Windows
Samba share not accessible from Windows 7 (on domain) via hostname
Why can't non-admin users install software?
How to display all accessible domains on Windows 7?
Folder Redirection GPO setting desktop but not showing it
Adding a machine to a domain over a Cisco VPN connection
net time command - Service is not running