Service Accounts

Applies to

• Windows 10
• Windows Server 2016

This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts.

Overview

A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service’s ability to access local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell.

This topic contains information about the following types of service accounts:

Standalone managed service accounts

A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts.

To use managed service accounts, the server on which the application or service is installed must be running at least Windows ServerВ 2008В R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group managed service account. For more information, see Group Managed Service Accounts Overview.

In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:

You can create a class of domain accounts that can be used to manage and maintain services on local computers.

Unlike domain accounts in which administrators must reset manually passwords, the network passwords for these accounts are automatically reset.

You do not have to complete complex SPN management tasks to use managed service accounts.

Administrative tasks for managed service accounts can be delegated to non-administrators.

Software requirements

Managed service accounts apply to the Windows operating systems that are designated in the Applies To list at the beginning of this topic.

Group managed service accounts

Group managed service accounts are an extension of the standalone managed service accounts, which were introduced in Windows ServerВ 2008В R2. These are managed domain accounts that provide automatic password management and simplified service principal name (SPN) management, including delegation of management to other administrators.

The group managed service account provides the same functionality as a standalone managed service account within the domain, but it extends that functionality over multiple servers. When connecting to a service that is hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual authentication require all instances of the services to use the same principal. When group managed service accounts are used as service principals, the Windows Server operating system manages the password for the account instead of relying on the administrator to manage the password.

The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service was introduced in Windows Server 2012, and it does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret, which is used to create keys for the account. These keys are periodically changed. For a group managed service account, the domain controller computes the password on the key that is provided by the Key Distribution Services, in addition to other attributes of the group managed service account.

Practical applications

Group managed service accounts provide a single identity solution for services running on a server farm, or on systems that use Network Load Balancing. By providing a group managed service account solution, services can be configured for the group managed service account principal, and the password management is handled by the operating system.

By using a group managed service account, services or service administrators do not need to manage password synchronization between service instances. The group managed service account supports hosts that are kept offline for an extended time period and the management of member hosts for all instances of a service. This means that you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.

Failover clusters do not support group managed service account s. However, services that run on top of the Cluster service can use a group managed service account or a standalone managed service account if they are a Windows service, an App pool, a scheduled task, or if they natively support group managed service account or standalone managed service accounts.

Software requirements

Group managed service accounts can only be configured and administered on computers running at least Windows Server 2012, but they can be deployed as a single service identity solution in domains that still have domain controllers running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements.

A 64-bit architecture is required to run the Windows PowerShell commands that are used to administer group managed service accounts.

A managed service account is dependent on encryption types supported by Kerberos. When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support. The domain controller uses the account’s msDS-SupportedEncryptionTypes attribute to determine what encryption the server supports, and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The Advanced Encryption Standard (AES) should always be explicitly configured for managed service accounts. If computers that host the managed service account are configured to not support RC4, authentication will always fail.

NoteВ В Introduced in WindowsВ ServerВ 2008В R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see Changes in Kerberos Authentication.

Group managed service accounts are not applicable in Windows operating systems prior to Windows Server 2012.

Virtual accounts

Virtual accounts were introduced in Windows ServerВ 2008В R2 and WindowsВ 7, and are managed local accounts that provide the following features to simplify service administration:

The virtual account is automatically managed.

The virtual account can access the network in a domain environment.

No password management is required. For example, if the default value is used for the service accounts during SQL Server setup on Windows ServerВ 2008В R2, a virtual account that uses the instance name as the service name is established in the format NT SERVICE\ .

Services that run as virtual accounts access network resources by using the credentials of the computer account in the format \ $.

For information about how to configure and use virtual service accounts, see Service Accounts Step-by-Step Guide.

Software requirements

Virtual accounts apply to the Windows operating systems that are designated in the Applies To list at the beginning of this topic.

See also

The following table provides links to additional resources that are related to standalone managed service accounts, group managed service accounts, and virtual accounts.

Create a user account in Windows

Create a Microsoft account

Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings. (If you’re using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, click Settings, and then click Change PC settings.)

Tap or click Accounts, and then tap or click Other accounts.

Tap or click Add an account.

Enter the account info for this person to sign in to Windows. There are four ways to do this:

If the person you’re adding already has a Microsoft account, enter it now.

If the person you’re adding doesn’t have a Microsoft account, you can use their email address to create one. Enter the email address that person uses most frequently.

If the person you’re adding doesn’t have an email address, tap or click Sign up for a new email address. It’s free.

If the person you’re adding is a child, tap or click Add a child’s account.

Follow the instructions to finish setting up the account.

Create a local account

Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings.
(If you’re using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, click Settings, and then click Change PC settings.)

Tap or click Accounts, and then tap or click Other accounts.

Tap or click Add an account, and then tap or click Sign in without a Microsoft account (not recommended).

Tap or click Local account.

Enter a user name for the new account.

If you want this person to sign in with a password, enter and verify the password, add a password hint, and then tap or click Next.

If your PC is on a domain, depending on the domain’s security settings, you might be able to skip this step and tap or click Next, if you prefer.

Tap or click Finish.

My computer is on a domain

Open Microsoft Management Console by clicking the Start button , typing mmc into the search box, and then pressing Enter. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.

In the left pane of Microsoft Management Console, click Local Users and Groups.

If you don’t see Local Users and Groups, it’s probably because that snap-in hasn’t been added to Microsoft Management Console. Follow these steps to install it:

In Microsoft Management Console, click the File menu, and then click Add/Remove Snap-in.

Click Local Users and Groups, and then click Add.

Click Local computer, click Finish, and then click OK.

Click the Users folder.

Click Action, and then click New User.

Type the appropriate information in the dialog box, and then click Create.

When you are finished creating user accounts, click Close.

My computer is in a workgroup

To open User Accounts, click the Start button , click Control Panel, click User Accounts and Family Safety, and then click User Accounts.

Click Manage another account. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.

Click Create a new account.

Type the name you want to give the user account, click an account type, and then click Create Account.

Create service accounts

Applies To: Microsoft Dynamics AX 2012 R3, Microsoft Dynamics AX 2012 R2, Microsoft Dynamics AX 2012 Feature Pack, Microsoft Dynamics AX 2012

An implementation of Microsoft Dynamics AX requires many services to run. Set up accounts to run the services. Each account that you set up must have the following characteristics:

Unless otherwise noted, it must be a dedicated account. A dedicated account is used only for a specific service.

It must have a password that does not expire.

It must have minimal access to network resources.

It must be able to log on as a service.

If you are using Windows Server 2008 R2 or a later version of Windows Server, you can use managed service accounts. For more information, see the Service Accounts Step-by-Step Guide on TechNet.

If an account must be a Microsoft Dynamics AX user, it cannot be a managed service account.

The accounts in this topic must be configured in order to install the components of Microsoft Dynamics AX. For information about additional service accounts that are used when you configure Microsoft Dynamics AX, see Configure system accounts.

Create accounts for Microsoft Dynamics AX services

Create the accounts in the following table to run Microsoft Dynamics AX services.

Application Object Server (AOS) service account

The account that the Microsoft Dynamics AX Object ServerВ Windows service runs as. This account is used to communicate with the database server.

Consider the following points when you select an account:

We strongly recommend that you use a domain account or a managed service account in a production environment. Use the Network Service account only in development and testing environments.

If you plan to use a managed service account, you must first create that account as described in the Service Accounts Step-by-Step guide.

If Microsoft SQL Server and the AOS are on different computers, you must use a domain account or a managed service account.

If you plan to install any Microsoft Dynamics AX components on a domain controller, you must use a domain account.

If you plan to use Message Queuing, which is also known as MSMQ, for document exchange with web services on Internet Information Services (IIS), and you want to send signed messages, you must use a domain account. However, if you want to send unsigned messages by using web services on IIS, the AOS can run under the Network Service account.

Enter this account when you run the Setup wizard to install an AOS instance. For more information, see Install an AOS instance.

Business Connector proxy account

The account that the .NET Business Connector runs as. This account is used to connect to the AOS on behalf of a Microsoft Dynamics AX user, but without granting that user excessive privileges in the system.

This account must not be a Microsoft Dynamics AX user.

Enter this account when you run the Setup wizard or select this account in the System service accounts form.

Search crawler account

The account that Enterprise Search runs as. This account is used by the Microsoft SharePoint Indexing Service to crawl Microsoft Dynamics AX data. This account must be assigned to the Search crawler security role in Microsoft Dynamics AX. We recommend that you configure this account so that it has no local logon rights.

Enter this account when you run the Setup wizard to install Enterprise Search. For more information, see Install Microsoft Dynamics AX Enterprise Search.

Use the Assign users to roles form to assign this account to the Search crawler security role.

Management Reporter integration user account (optional)

The account that is used to run integrations between Management Reporter and Microsoft Dynamics AX.

This account must have read permission and view change tracking permission on the Microsoft Dynamics AX transaction database and model database.

Setup will add the account as a user in Microsoft Dynamics AX, and will assign the user to the System administrator security role.

Enter this account when you run the Setup wizard to install Management Reporter. For more information, see Install Management Reporter server components.

Management Reporter service account (optional)

The account that the Management Reporter Windows service runs as.

We recommend that you use the AOS service account to run the Management Reporter service.

Enter this account when you run the Setup wizard to install Management Reporter. For more information, see Install Management Reporter server components.

Synchronization service account (optional)

The account that the Microsoft Project Server synchronization service runs as. We recommend that you configure this account so that it has no local logon rights.

Select this account in the System service accounts form.

Connector integration user account (optional)

The account that is used to connect to Microsoft Dynamics AX.

Setup will add the account as a user in Microsoft Dynamics AX, and will assign the user to the System administrator security role.

Enter this account when you run the Setup wizard to install Connector. For more information, see Install Connector for Microsoft Dynamics.

Connector service account (optional)

The account that is used to run integrations with Microsoft Dynamics AX.

This account is also used to send notification emails. If the Simple Mail Transfer Protocol (SMTP) server that you use to send notifications requires authentication to submit emails, you must give this service account permission to authenticate and submit emails.

Enter this account when you run the Setup wizard to install Connector. For more information, see Install Connector for Microsoft Dynamics.

RapidStart Connector account (optional)

The account that the RapidStart Connector Windows service runs as.

Enter this account when you run the Setup wizard to install the RapidStart Connector. For more information, see Install the RapidStart Connector.

Use the Assign users to roles form to assign this account to the System administrator security role.

VSS writer account (optional)

The account that the VSS writer Windows service runs as.

This account must be a local administrator, and must have read/write access to the location where temporary backups are stored.

Enter this account when you run the Setup wizard to install the VSS writer. For more information, see Install the VSS writer for Microsoft Dynamics AX.

Application pool identity for Warehouse Mobile Devices Portal (optional)

The account that is used to run the application pool for the web application for Warehouse Mobile Devices Portal.

You must install an instance of Warehouse Mobile Devices Portal for each company in Microsoft Dynamics AX. Create a separate service account for each instance.

Service accounts must be assigned to the Warehouse mobile device user security role in Microsoft Dynamics AX. The default company for the user must be the legal entity in which the warehouse operates. The language that you select for the user is the default language for the portal.

Enter this account when you run the Setup wizard to install Warehouse Mobile Devices Portal. For more information, see Install Warehouse Mobile Devices Portal.

Use the Assign users to roles form to assign this account to the Warehouse mobile device user security role. Use the Options form to set the default company and language for the user.

Data Import/Export Framework (DIXF) service account

The account that is used for the Data Import/Export Framework service.

The account must have dbdatareader and dbdatawriter access to the business and model store databases, as well as administrator rights to Microsoft Dynamics AX.

We recommend that you use the AOS service account.

Enter this account when you run the Setup wizard to install the Data Import/Export Framework service. For more information, see Install the Data import/export framework (DIXF, DMF).

Create accounts for Retail services

Create the accounts in the following table to run the services that are used in Retail.

Application pool identity for Commerce Data Exchange: Real-time Service

In Microsoft Dynamics AX 2012 Feature Pack, Commerce Data Exchange: Real-time Service is called Retail Transaction Service.

The account that is used to run the application pool for the web application for Real-time Service.

In Microsoft Dynamics AX 2012 Feature Pack, Real-time Service is a Windows service, and this account is used as the service account.

Enter this account when you run the Setup wizard to install Real-time Service. For more information, see Install Commerce Data Exchange: Real-time Service (Retail Transaction Service).

Use the Assign users to roles form to assign this account to the BusinessConnector Role.

Service account for Commerce Data Exchange: Async Client

The account that the Async ClientВ Windows service runs as. The account is not required to be a domain account. It can be a member of a workgroup on the local computer.

Enter this account when you run the Setup wizard to install Async Client. For more information, see Install Commerce Data Exchange: Async Client.

Application pool identity for Commerce Data Exchange: Async Server

The account that is used to run the application pool for the web application for Async Server.

Enter this account when you run the Setup wizard to install Async Server. For more information, see Install Commerce Data Exchange: Async Server.

Service accounts for Commerce Data Exchange: Synch Service

In Microsoft Dynamics AX 2012 Feature Pack, Commerce Data Exchange: Synch Service is called Retail Store Connect.

The accounts that the Synch ServiceВ Windows service runs as. These accounts are used to communicate with the database server.

Consider the following points when you select an account:

Guest or temporary user accounts are not supported.

The service user account on head-office instances of Synch Service must be a Microsoft Dynamics AX user.

If you are installing a forwarder instance of Synch Service at headquarters, the service user account can be any valid domain account.

If you are installing an instance of Synch Service for a channel, you can use a valid local user account on the computer where the instance runs.

The account must be a member of the db_datareader and db_datawriter database roles in the message database.

This account must be created on POS computers where offline databases are located.

Enter this account when you run the Setup wizard to install Synch Service. For more information, see Install Commerce Data Exchange: Synch Service (Retail Store Connect).

Application pool identity for Retail Server

The account that is used to run the application pool for the web application for Retail Server. The account is not required to be a domain account. It can be a member of a workgroup on the local computer.

Enter this account when you run the Setup wizard to install Retail Server. For more information, see Install Retail Server.

Application pool identity for Retail hardware station

The account that is used as the identity of the application pool for Retail hardware station. The account is not required to be a domain account. It can be a member of a workgroup on the local computer.

Enter this account when you run the Setup wizard to install Retail hardware station. For more information, see Install Retail Hardware Station.

Service account for Offline Sync Service

The account that the Offline Sync Service Windows service runs as. This account must be a member of the sysadmin server role in SQL Server on the computer where the offline database is installed.

Add this account to the RetailUsers local group.

Use the Services control panel to manually set this account as the identity for the Offline Sync Service.

Retail online store service accounts

Product catalog app pool user: The account that is used as the identity of the application pool for the Retail online store product catalog web site. This account must be a member of the SharePoint Farm Administrators group so that it can edit properties in the root web site.

Store front app pool user: The account that is used as the identity of the application pool for the Retail online store site. This account must be a member of the SharePoint Farm Administrators group so that it can edit properties in the root web site.

STS app pool user: The account that is used to run the application pool for the Security Token Service. This account must be a member of the SharePoint Farm Administrators group so that it can edit properties in the root web site. This account is specified when you install SharePoint.

Retail job user: The account that is used to run the SharePoint Timer Service. This account is specified when you install SharePoint.

Enter these accounts when you run the Setup wizard to install the Retail online store or when you install the store by using Windows PowerShell. For more information, see Install a Microsoft Dynamics AX Retail online store (e-commerce).

Create accounts for SQL Server services

Create the accounts in the following table to run SQL Server services.

SQL Server Database Engine account

The account that the SQL Server (MSSQLSERVER)В Windows service runs as.

Select this account when you install the Database Engine. For more information, see the SQL Server documentation.

Microsoft SQL Server Reporting Services account

The account that the SQL Server Reporting Services (MSSQLSERVER)В Windows service runs as.

When you install Reporting Services, specify that you want the Reporting ServicesВ Windows service to run as the .NET Business Connector account.

Microsoft SQL Server Analysis Services account

The account that the SQL Server Analysis Services (MSSQLSERVER)В Windows service runs as.

Select this account when you install Analysis Services.

The account that you select must have read access to the online transaction processing (OLTP) database for Microsoft Dynamics AX.