Are Windows Domain Service Accounts Really Necessary?

Posted by Zach Bonham on Server Fault See other posts from Server Fault or by Zach Bonham
Published on 2010-12-31T15:55:12Z Indexed on 2010/12/31 15:55 UTC
Read the original article Hit count: 417

One of the biggest problems we have in automating application deployments is the idea that running IIS AppPools and Windows Services under domain service accounts is a 'best practice'. Unfortunately, this best practice sometimes causes deployment headaches in that either we need to provision a new domain level service account quickly, or once we have the account, we now need to manage the account credentials.

I had a great conversation about not making domain level service accounts a requirement and effectively taking one of two approaches:

  • Secure at the node level using machine account(domain\machine$) and add the node to appropriate ActiveDirectory/Sql groups/roles
  • Create local app specific accounts on each machine (machine\myapp) and add that account to appropriate ActiveDirectory/Sql groups/roles (the password here can change per deployment, it doesn't need to be stored)

In both cases, it seems that its easier to manage either adding an account to appropriate group/role, or even stand up new, local account, than it is to have to provision a new domain level account and manage those credentials.

This would hopefully ease the management burden on ActiveDirectory, Sql Server and Operations teams as there would be no more password management.

We've not actually been able to implement this in practice yet. I am coming from a development background, so I'm curious as to how many ways this approach could go wrong? Can we really get rid of domain level service accounts with this direction?

I'd appreciate any thoughts from anyone who has taken this path!

Thanks!

Zach

© Server Fault or respective owner

Related posts about active-directory

Related posts about windows-server