How to Set Up Windows Server 2016 Service Accounts
Service accounts in Windows Server 2016 are special user accounts used by applications and services to authenticate and run system processes. Unlike regular user accounts, service accounts are designed to run background services, scheduled tasks, and application pools with defined, limited privileges. Properly configuring service accounts is a fundamental security practice that helps isolate services and limit the damage from compromised credentials.
Windows Server 2016 supports several types of service accounts: standard domain user accounts configured as service accounts, standalone Managed Service Accounts (MSAs), and Group Managed Service Accounts (gMSAs). This tutorial focuses on setting up traditional domain user-based service accounts. For MSAs and gMSAs, refer to the dedicated tutorials in this series.
Step 1: Plan Your Service Account Strategy
Before creating service accounts, establish a naming convention and define the principle of least privilege for each account. Each service should have its own dedicated account rather than sharing accounts across multiple services. A common naming convention uses a prefix such as svc_ followed by the application name:
svc_sql
svc_iis
svc_backup
svc_monitoringDedicated accounts make it easier to audit activity, rotate passwords, and disable individual services without affecting others.
Step 2: Create the Service Account in Active Directory
Open Active Directory Users and Computers on your domain controller. Navigate to the appropriate Organizational Unit for service accounts. It is best practice to keep service accounts in a dedicated OU separate from regular user accounts.
Right-click the OU and select New > User. Fill in the account details:
First Name: (leave blank)
Last Name: (leave blank)
Full Name: Service Account - SQL
User logon name: [email protected]Alternatively, create the account using PowerShell:
New-ADUser -Name "svc_sql" `
-SamAccountName "svc_sql" `
-UserPrincipalName "[email protected]" `
-Path "OU=ServiceAccounts,DC=yourdomain,DC=com" `
-AccountPassword (ConvertTo-SecureString "P@ssw0rd!Str0ng" -AsPlainText -Force) `
-PasswordNeverExpires $true `
-CannotChangePassword $true `
-Enabled $true `
-Description "Service account for SQL Server"Step 3: Configure Password Policy Exceptions
Service accounts typically need passwords that do not expire, since changing them requires reconfiguring the service. Use Fine-Grained Password Policies (PSOs) to apply a stricter password policy to service accounts while still setting PasswordNeverExpires.
New-ADFineGrainedPasswordPolicy -Name "ServiceAccountPolicy" `
-Precedence 10 `
-MinPasswordLength 20 `
-PasswordHistoryCount 24 `
-MaxPasswordAge "0" `
-MinPasswordAge "1" `
-ComplexityEnabled $true `
-ReversibleEncryptionEnabled $false
Add-ADFineGrainedPasswordPolicySubject -Identity "ServiceAccountPolicy" `
-Subjects "svc_sql"Step 4: Assign Minimum Required Permissions
Grant the service account only the permissions it needs. Avoid adding service accounts to the Domain Admins, Administrators, or other privileged groups. For SQL Server, the service account typically needs local logon rights on the server and specific database permissions.
To grant the account the right to log on as a service using Group Policy:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a serviceAdd the service account identity to this policy and apply it to the relevant servers.
Step 5: Configure the Service to Use the Account
For Windows services, open Services.msc on the target server. Right-click the service, select Properties, then go to the Log On tab. Select This account and enter the service account credentials.
For services managed via PowerShell:
$credential = Get-Credential -UserName "YOURDOMAINsvc_sql"
Set-Service -Name "MSSQLSERVER" -Credential $credentialStep 6: Deny Interactive Logon Rights
Service accounts should not be used to log on interactively to workstations or servers. Deny this right via Group Policy to prevent the account from being used as a regular user account:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on locally
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on through Remote Desktop ServicesStep 7: Enable Auditing on Service Accounts
Monitor service account activity to detect unusual behavior such as interactive logins or access to unexpected resources. Use the following PowerShell command to check recent logon events for a specific service account:
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4624
} | Where-Object { $_.Message -like "*svc_sql*" } |
Select-Object TimeCreated, Message | Select-Object -First 20Step 8: Document Service Account Usage
Maintain an inventory of all service accounts, the services they run, the servers they are used on, and the permissions they hold. This documentation is essential for password rotation, decommissioning services, and security audits. Consider using the following PowerShell snippet to export service account details:
Get-ADUser -Filter {Name -like "svc_*"} -Properties Description, PasswordNeverExpires, LastLogonDate |
Select-Object Name, Description, PasswordNeverExpires, LastLogonDate |
Export-Csv -Path "C:ReportsServiceAccounts.csv" -NoTypeInformationProperly configured service accounts reduce the attack surface of your Windows Server 2016 environment by limiting the blast radius of a compromised credential. Always apply the principle of least privilege, use strong and unique passwords, and consider upgrading to Managed Service Accounts or Group Managed Service Accounts where possible for automated password management.
