top of page
  • Writer's pictureJJC Systems

Creating a "Service" Account in Active Directory

Purpose: The purpose of this Standard Operating Procedure (SOP) is to provide a step-by-step guide for creating a "Service" account in Active Directory. A service account is typically used to run a service or application and should be created following specific guidelines to ensure security and proper functioning.

Scope: This SOP applies to administrators or IT personnel responsible for managing Active Directory and creating service accounts.


1. Determine the Purpose and Scope:

  • Identify the specific service or application for which the service account is being created.

  • Determine the permissions and access levels required for the service account.

2. Plan the Service Account Name:

  • Follow a naming convention for service accounts that is consistent with your organization's naming standards.

  • Ensure the name is descriptive and easily identifiable.

3. Create the Service Account:

  • Log in to a domain-joined server or a workstation with administrative privileges.

  • Open the Active Directory Users and Computers management console.

4. Select the Appropriate Organizational Unit (OU):

  • Navigate to the appropriate OU where the service account will be created.

  • If necessary, create a new OU for the service account based on your organizational structure.

5. Create the Service Account:

  • Right-click on the OU and select "New" > "User".

  • Enter the desired service account name in the "User logon name" field.

  • Optionally, enter a full name and description for the service account.

  • Set a strong password for the service account, following your organization's password policy.

6. Configure Account Options:

  • Uncheck the "User must change password at next logon" option.

  • Select "Password never expires" if the service account does not require regular password changes.

  • If necessary, specify the service account's account expiration date.

7. Configure Security Group Membership:

  • Add the service account to the appropriate security groups based on the required permissions and access levels.

  • Consider creating a dedicated security group for the service account to manage it permissions efficiently.

8. Assign Service Principal Name (SPN) (if applicable):

  • Determine if the service account requires an SPN for Kerberos authentication.

  • If needed, assign the SPN to the service account using the "setspn" command-line tool.

9. Document the Service Account Details:

  • Maintain a record of the service account's name, purpose, description, and associated security groups.

  • Store this documentation securely and make it accessible to the relevant IT personnel.

10. Test and Validate the Service Account:

  • Use the service account credentials to authenticate and test the service or application it is associated with.

  • Ensure the service or application functions as expected with the newly created service account.

11. Monitor and Maintain the Service Account:

  • Regularly review the service account's permissions and access levels to ensure they align with the intended purpose.

  • Follow your organization''s procedures for managing and rotating service account passwords, if required.

  • Update the service account documentation as changes or updates occur.

12. Decommission or Disable Service Account (when no longer needed):

  • When the service or application is no longer in use, remove the service account from any security groups.

  • Disable or delete the service account in Active Directory, following your organization's guidelines and policies.

Note: This SOP provides a general guideline for creating a service account in Active Directory. Ensure that you follow any additional security measures or specific requirements set by your organization.

2 views0 comments
bottom of page