9

Question

Is there a "correct" / standard way to distinguish Service Accounts from User Accounts in AD?

More Info

In certain scenarios we have systems running under AD Credentials (i.e. under a Service Account). These Service Accounts are created in exactly the same way as user accounts; the only difference being the name and description. A few things have been done to make a distinction between the two account types (e.g. which OU the account is in, whether "password never expires" is enabled, if "service account" is in the description), but there's no one rule which can be applied to everything to clearly distinguish between the two.

Going forwards we're looking to improve this / spring clean things to make a distinction clear. We'll likely use both the OU and Description fields for this purpose.

Before doing this though I wanted to check; is the a way in which this should be done; i.e. some attribute specifically for this purpose (maybe an objectCategory value different to Person?), or a recognised standard naming convention, or does each company figure out their own approach?

JohnLBevan
  • 1,214
  • 7
  • 22
  • 46
  • 3
    As a side note, if you are using server 2012 you can actually create managed service accounts. Where possible it is best practice to use these https://technet.microsoft.com/en-us/library/hh831451.aspx – Drifter104 Aug 10 '15 at 15:24
  • 4
    You could (and probably should) use Managed Service Accounts, which are readily identifiable. - http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx – joeqwerty Aug 10 '15 at 15:28
  • Thanks both. @Drifter104 FYI: looks like MSAs became available in Windows Server 2008 R2. https://technet.microsoft.com/en-us/library/dd560633(v=ws.10).aspx – JohnLBevan Aug 10 '15 at 15:33
  • 2
    @JohnLBevan MSAs became available in 2008 R2, but they were enhanced in 2012 when they became Group Managed Service Accounts (gMSAs,) which removed many of the limitations of the older MSAs. – Ryan Ries Aug 15 '15 at 14:24
  • @RyanRies is MS using applicationProcess for those? – Braiam May 24 '20 at 13:07

3 Answers3

11

I've not seen anything that could be construed as an 'official' standard. What I've typically done is used a standard naming prefix as well as keeping them in an OU. You could use the Description field or the Department field as well for an easy sort/select.

Mr. Smythe
  • 643
  • 1
  • 8
  • 13
4

There is no "official" solution to this issue, nor any specific AD attribute meant to convey "this is a service account". Various places uses various techniques, which may include OUs, groups, descriptions, name prefixes, and so on; but it really is only a cosmetic distinction: service accounts are the exact same objects as user accounts.

Massimo
  • 70,200
  • 57
  • 200
  • 323
1

Microsoft Active Directory uses the objectCategory attribute like a programming language might define a "class". By default, users have "objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mydomain,dc=com". You could override this with another DN, like account or posixAccount.

Tim Nowaczyk
  • 21
  • 1
  • Has anyone actually used the method Tim is mentioning? I prefer this to the others — name prefix, OU, etc — because there is almost always a time when you'll end up breaking these for one reason or another. We employ them all, but none are 100% effective and I end up needing a bunch of filters anyway. – ebarrere Oct 23 '20 at 18:56