Hello, are there any Best Practices or whitepapers that recommends to set different system account for each service or communication with other machines (for example server communication with report server, or with OPC server, or with SQL server.. etc?) And not to have just one system account for all :( Good and clear reasons? (security, difficult and also better management of these system accounts.., ) Thank you. M.

The planning guide linked on this page may help: http://technet.microsoft.com/en-us/library/cc170953.aspx From past research, I believe using separate accounts for each service: 1. Ensures that each service account has only the privileges needed. 2. Reduces the risk if a service account is compromized. 3. If a service account gets locked out, the other services are not affected. Richard Mueller - MVP Directory Services

Regardless of best practices and whitepapers, I can concur with Richard. My experience has been that these are the three main reasons for having seperate service accounts. You definately do not want to use any Windows built-in accounts such as the administrator or accounts used by your users. Using a single service account accross multiple systems could cause an issue when you need to reset the password (say someone leaves the company and they know the password). Or if the account gets locked out, all of the systems will be affected. Additionally, I have found that many vendors will say that the service account must be a member of the domain admins group. Do not take them on their word. Make sure they provide you with reasons as to why they require that. What I have experienced is that they make these claims as to not have to deal with the work involved in setting the proper permissions and rights. Of course, adding the account to the domain admins group usually will make the apps/services access resources, communicate, etc... much easier, for the vendor. Visit anITKB.com, an IT Knowledge Base.