Active Directory service accounts

Special accounts in Active Directory designed to support automated services and applications.

Description

Active Directory service accounts are non-human identities (NHIs) used to manage and secure automated services, applications, or processes within an Active Directory environment. These accounts are specifically created to facilitate the running of services with appropriate permissions while minimizing security risks associated with using regular user accounts. There are primarily two types of service accounts: Managed Service Accounts (MSAs) and Group Managed Service Accounts (gMSAs). MSAs can be assigned to a single service instance on a single machine, while gMSAs can be used across multiple servers, providing a more scalable solution for load-balanced services. Using service accounts helps in the automation of password management, as they can automatically update their passwords without administrator intervention. This enhances security and simplifies maintenance, as administrators do not need to manage service account credentials manually. Overall, Active Directory service accounts play a crucial role in modern IT infrastructure, enabling secure and efficient operation of various applications and services.

Examples

Managed Service Accounts (MSAs) for Windows services
Group Managed Service Accounts (gMSAs) used in web applications across multiple servers

Additional Information

Service accounts help reduce the attack surface by limiting user privileges.
Best practices involve using unique service accounts for different applications to enhance security.

Active Directory service accounts

Description

Examples

Additional Information

References