Announcement

Collapse
No announcement yet.

restricted domain account

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • restricted domain account

    Hi all,

    I have a question about secure account in active directory.

    We have multiple web servers, sql servers and mail servers in server housing.
    I have to create account for scheduled tasks. How to create really secure account?

    - user cannot logon locally
    - user cannot logon by RDP
    - user has rights only on specific folders
    .
    .
    .
    .

    Can anyone help me with this?

    Best Regards

    Caspi
    Thanks

    Caspi

  • #2
    Re: restricted domain account

    Investigate Managed Service Accounts in R2 http://technet.microsoft.com/en-us/l...33(WS.10).aspx
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: restricted domain account

      Thank you for quick reply. I ahve quastion about managed service accounts, i have multiple servers in NLB clusters, is it posible to to ruin one account on all servers?

      --------------------------------------------------------------------------------------------------------
      Requirements for using managed service accounts and virtual accounts

      To use managed service accounts and virtual accounts, the client computer on which the application or service is installed must be running Windows Server 2008 R2 or Windows 7. In Windows Server 2008 R2 and Windows 7, one managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers and cannot be used in server clusters where a service is replicated on multiple cluster nodes.
      --------------------------------------------------------------------------------------------------------

      So for each server I have to create new service managed account. Is it true?

      No problem, after user is created, can i assign him permissions on sql server?
      Last edited by caspi; 22nd February 2011, 12:03.
      Thanks

      Caspi

      Comment


      • #4
        Re: restricted domain account

        No, MSA's can only be linked to one computer at a time. This Dir Services Team blog post goes into the inner working of MSA's, it's an pretty interesting read.

        http://blogs.technet.com/b/askds/arc...eshooting.aspx

        Comment


        • #5
          Re: restricted domain account

          Another question about Managed Service Accounts.

          I have 3 web servers www1, www2, www3. All running windows 2008 R2 Enterprise

          I have 2 domain controler wdc1,wdc2. wdc1 is windows 2008 enterprise and wdc2 is windows 2008 R2 enterprise

          A have created managed service accounts web-www1, web-www2, web-www3

          On www1,www2,www3 is failover cluster services offering file share.

          On www3 i have created website with test.cz and set physical path to: \\clusterFS\test.cz

          permision on fileshare are set up for all the three MSA to read.

          I also have created application pool running as user web-www3 (this aacount is linked with www3)

          But when I try to go to site test.cz i got: HTTP Error 503. The service is unavailable.


          I have tryed to change site physical path credential from aplication user to specific user. but It want to enter password.

          Any help?

          Thank you
          Thanks

          Caspi

          Comment

          Working...
          X