1

I have set up a user to use roaming profile on my domain controller. But when I add this user to a VM (I want to use it as a service account), a local profile is created for the user and I cannot switch the user profile from local to roaming profile as the option is disabled. Any idea why it's disabled?

Windows Server 2016

Thanks

screenshot

Update: If I remove the local profile, sign in using my test user, then a roaming profile gets created. It seems that if I just use this account to run a windows service, only a local profile will be created...I had to sign in and then sign out before configuring the service account for my windows service

Yoope
  • 113
  • 3

1 Answers1

0

Service accounts are not meant to login interactively meaning they don't get the same login items created like a normal user. By logging in directly you are creating the items (profile, group policy items, etc). What you are experiencing is expected, your implementation and expectations are the issue (or not, its just how it works). From a security standpoint you never want service accounts to have login rights outside of as a service, and don't want them hanging profiles really. Least privilege guidelines mean you should only permit the account only what it needs to do, not carte blanche

Edwrd_T_Justice
  • 156
  • 5
  • Thanks, now I see why...This may go beyond the scope of this post but what I want to do is: I have two windows services that run on two different VMs (in a domain), I want to set up a service account to run them so that one service can decrypt a key encrypted by the other service using DPAPI. Currently, it doesn't seem to work when I run them under the same service account, likely because they are using local profiles. It works if I set up roaming profile for the service account (by logging into VMs to "force" creating roaming profiles). Do you have any recommendation as how to achieve it? THX – Yoope Oct 09 '19 at 05:51
  • The "easy" way is to log the account in like you did and configure the roaming profiles to do whats needed. You could also have a network share available to only those accounts and have it interact with the files there, rather than roaming profiles. Upvote is appreciated – Edwrd_T_Justice Oct 09 '19 at 05:54
  • Thanks, yeah I voted, it told me my vote was recorded but not displayed as my reputation is too low lol – Yoope Oct 09 '19 at 08:32
  • The [CNG API](https://docs.microsoft.com/en-us/windows/win32/seccng/cng-dpapi) specifically addresses this scenario and does not require roaming profiles. – Harry Johnston Oct 09 '19 at 18:40
  • @HarryJohnston Thanks for the info – Yoope Oct 10 '19 at 00:59