Regarding windows services ?
Hi all,
I have few services which start as logon service using
my username and password, I happened to change my domain username and password
After that the service does not start, says logon failure, but after changing it manually, it works fine
My question is do I have to manually change the username and password.
How is it possible to ask the end user to do the same, is there any other way to do it , without any user intervention
OS: Windows 2008 R2 Server 64bit
Note: the User has Administrative privileges
appreciate your help...
Regards
Pradish
May 12th, 2010 7:50am
My question is do I have to manually change the username and password.
Yes, when you run a service under the credentials of a useraccount and you change the username or password (or SID, to be complete), you will have to make these changes to the properties of the service manually as well. This is a common problem with 'Service
accounts'.
How is it possible to ask the end user to do the same, is there any other way to do it , without any user intervention
When the user has administrative privileges, the user can perform the same actions as you would have performed. This becomes tedious indeed.
Luckily, with Windows 7 and Windows Server 2008 R2, Microsoft introduced the Managed Service Account with Active Directory.
Note:
The domain and forest will need to be prepared for Windows Server 2008 R2. When running pre-Windows Server 2008 R2 Domain Controllers, the functionality will work, except for automatic password and SPN management. It is therefore advised to use Windows Server
2008 R2-based Domain Controllers when utilizing this feature.
You could compare Managed Service Accounts with the Local System, Network Service and Local Service accounts.
A Managed Service Account, derived from the computer account object, offers a big benefit: just like with a computer account and the typical local system accounts, the managed service account will automatically change it password regularly. IT can also update
its Service Principle Name (SPN) automatically.
From a security point of view, this means, in a worst case scenario, a sniffed (and decoded) password(hash) can only be used for a limited amount of time. It also means that when the account is only given the barely minimum privileges, an attacker cannot
exploit a vulnerability in the service, beyond the service itself.
Note:
Probably because of this security concern, a managed service account can only be assigned to one host at the time.
From a management point of view, it means you can create automatically changing service accounts per service per host. After renaming the host, the service will start like it did before.
The command to create a Managed Service Account after enabling PowerShell Active Directory Management (using
Import-module Active Directory) would look something like:
New-ADServiceAccount -Name MSA-Host1 -Path "CN=Managed Service Accounts,DC=domain,DC=tld"
Note:
While creating a Managed Service Account is also possible using Active Directory Users and Computers (ds.msc), this is
not the ideal way to create these accounts.
Then, to assign the Managed Service Account to a host, use the following command:
Add-ADComputerServiceAccount -Identity Host1
-ServiceAccount MSA-Host1
As a last step, install the Managed Service Account on the host, that hosts the service, in this case Host1:
Import-module Active Directory
Install-ADServiceAccount -Identity MSA-Host1
After this third step you can configure the service to run using the managed service account.
More information:
Managing Managed Service Accounts
Create Managed Service Accounts with PowerShell.
Do not create managed service accounts with Active Directory Users and Computers.
What's New in Service Accounts
Controlling Windows Services and Service Accounts
Managed Service Accounts
Server 2008 R2 Managed Service Account Bug
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2010 8:45am
Thank you very much for the reply
May 12th, 2010 12:32pm