Migrating Windows Server 2003 Service Accounts to Group Managed Service Accounts

Ask Windows Server administrators about the security of their service accounts and many will start avoiding eye contact.

This is because many administrators take the easy way out when it comes to setting up service accounts. That is, they create a domain user account that has a password that doesn’t expire and add it to the local administrators group on whatever computer that will host the workload that needs the service. In some cases the same service account will be used for some, occasionally all, services in the organization.

Which is why administrators avoid eye contact. Server administrators can be lazy in the way that people that are overworked become lazy.

Many server administrators start out with nobler intentions. They would have started out configuring accounts that had passwords that needed to be regularly updated and would have ensured that the accounts were configured with an appropriate set of rights set through group policy.

Unfortunately updating passwords in a secure manner on a regular basis for a large number of service accounts becomes time consuming. The accounts won’t be particularly secure if you use the same password for every service account in the organization each time you change them. Service account password management quickly becomes a matter of either using a spreadsheet to keep track of what the service account passwords are.

Once an organization has upgraded to Windows Server 2012 R2, they can implement Group Managed Service Accounts. A Group Managed Service Account is a new account type, specifically designed to be used for those services that require separate accounts on computers that are joined to Active Directory domains.

The headline feature of Group Managed Service Accounts is that the passwords are updated and maintained automatically by Active Directory. An administrator creates and configures the account, enrolls a computer in it, assigns it the appropriate permissions, and then doesn’t have to worry about it. In the background the service account’s password is changed regularly. This minimizes the chance that the service account will be compromised through some sort of password breach.

You can learn more about Group Managed Service Accounts at: https://technet.microsoft.com/en-au/library/hh831782.aspx