Creating a "Service" Account in Active Directory
Purpose: The purpose of this Standard Operating Procedure (SOP) is to provide a step-by-step guide for creating a "Service" account in Active Directory. A service account is typically used to run a service or application and should be created following specific guidelines to ensure security and proper functioning.
Scope: This SOP applies to administrators or IT personnel responsible for managing Active Directory and creating service accounts.
1. Determine the Purpose and Scope:
Identify the specific service or application for which the service account is being created.
Determine the permissions and access levels required for the service account.
2. Plan the Service Account Name:
Follow a naming convention for service accounts that is consistent with your organization's naming standards.
Ensure the name is descriptive and easily identifiable.
3. Create the Service Account:
Log in to a domain-joined server or a workstation with administrative privileges.
Open the Active Directory Users and Computers management console.
4. Select the Appropriate Organizational Unit (OU):
Navigate to the appropriate OU where the service account will be created.
If necessary, create a new OU for the service account based on your organizational structure.
5. Create the Service Account:
Right-click on the OU and select "New" > "User".
Enter the desired service account name in the "User logon name" field.
Optionally, enter a full name and description for the service account.
Set a strong password for the service account, following your organization's password policy.
6. Configure Account Options:
Uncheck the "User must change password at next logon" option.
Select "Password never expires" if the service account does not require regular password changes.
If necessary, specify the service account's account expiration date.
7. Configure Security Group Membership:
Add the service account to the appropriate security groups based on the required permissions and access levels.
Consider creating a dedicated security group for the service account to manage it permissions efficiently.
8. Assign Service Principal Name (SPN) (if applicable):
Determine if the service account requires an SPN for Kerberos authentication.
If needed, assign the SPN to the service account using the "setspn" command-line tool.
9. Document the Service Account Details:
Maintain a record of the service account's name, purpose, description, and associated security groups.
Store this documentation securely and make it accessible to the relevant IT personnel.
10. Test and Validate the Service Account:
Use the service account credentials to authenticate and test the service or application it is associated with.
Ensure the service or application functions as expected with the newly created service account.
11. Monitor and Maintain the Service Account:
Regularly review the service account's permissions and access levels to ensure they align with the intended purpose.
Follow your organization''s procedures for managing and rotating service account passwords, if required.
Update the service account documentation as changes or updates occur.
12. Decommission or Disable Service Account (when no longer needed):
When the service or application is no longer in use, remove the service account from any security groups.
Disable or delete the service account in Active Directory, following your organization's guidelines and policies.
Note: This SOP provides a general guideline for creating a service account in Active Directory. Ensure that you follow any additional security measures or specific requirements set by your organization.