Microsoft introduces two new type of service account in Windows 2008 R2 and Windows 7 to enhance the isolation and management of service accounts. These two accounts are Managed Service accounts and virtual accounts. These also eliminate the need for an administrator to manually administer the SPN and credential for these accounts. Managed Service accounts are the domain accounts while virtual accounts the “managed local accounts” that can use a computer credential to access network resources.
Read more >>
Concept: Managed service account and virtual account
When a service account is created, the biggest challenge is “how and who will manage the password”. This is big challenge and extra overhead on administrators in an organization where plenty of service accounts are in used. One miss can bring the application down and impact the organization in a way. Hence administrators spend considerable amount of time on maintaining service accounts password. In addition, these maintenance tasks may disrupt the service.
Two new types of accounts in Windows 2008 R2 and Windows 7 are provided to address such issues in organization, eliminating the need for administrators to manually administer the credential for service accounts.
Managed service accounts provide the following the features:
- Automatic password management
- Simplified SPN management, including delegation of management
Virtual accounts provide following features:
- No password management is required
- The ability to access the network with a computer identity in a domain.
Requirement for using managed service accounts and virtual accounts
One managed service account can be used on a single computer but multiple services. Managed service accounts cannot be shared between multiple computers.
- Supported operating systems: Windows 2008 R2 and Windows 7
- Windows 2008 R2 domain functional level provides native support for both automatic password management and SPN management.
- If the domain functional level is Windows 2003 Native or Windows 2008, additional configuration is required in order to support managed service accounts.
- If the domain controller is on Windows 2008 or Windows 2003 but Active Directory Schema is updated to Windows 2008 R2, managed service accounts can be used service accounts password will be managed automatically. However, domain administrators will still need to configure SPN manually for managed service accounts.
- Windows PowerShell cmdlet can be used to create, read, update and delete managed service account on a domain controller. There is no user interface for creating and managing these accounts in Windows 2008 R2 and Windows 7.
No comments:
Post a Comment