Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI Universal Interface UniInt Framework

TABLE OF CONTENTS

Service account types

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJul 10, 2024
  • 3 minute read

Windows services can run as the following account types:

  • Domain user account

    If the service interacts with network services or accesses domain resources like file shares on other computers, consider using a minimally-privileged domain account. A domain administrator must create the account before interface services can be configured to use the account.

  • Local user account

    If the computer is not part of a domain, a local user account can be used. OSIsoft recommends that the account not have administrator permissions.

  • Local Service account

    This is a built-in low-privilege account. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials (anonymous). For service creation, the actual name of the account is NT AUTHORITY\LocalService. For controlling access to local files or other securable objects, the account name is Local Service.

  • Network Service account

    This is a built-in low-privilege account. Services that run as the Network Service account access network resources by using the credentials of the computer account. For service creation, the actual name of the account is NT AUTHORITY\NetworkService. For controlling access to local files or other securable objects, the account name is Network Service.

  • Virtual accounts

    Microsoft introduced virtual accounts in Windows 7 and Windows Server 2008 R2. A virtual account has the same privileges as the built-in Network Service account. The difference is that a virtual account is specific to one service but multiple services can share the Network Service account. Therefore, a virtual account can have finer granularity of access control for local resources (like files and folders) than the Network Service account. On Windows versions that support virtual accounts, virtual accounts are preferable to the Network Service or Local Service account for interface services. For service creation, the actual name of the account is NT SERVICE\servicename, where servicename is the interface executable name plus the service ID.

  • Managed Service Account

    A Managed Service Account (MSA) is a type of service account that can be associated with services on individual machines, and is available for Windows 7 and Windows Server 2008 R2 computers. A managed service account is a domain account, which must be created by a domain administrator. The advantage of a managed service account over a user domain account is that MSA accounts cannot be used to log into a machine, have rotating passwords that are managed by the domain, and cannot be locked out.

  • Group Managed Service Account

    A Group Managed Service Account (gMSA) is a type of service account that can be associated with services on multiple machines. A gMSA is a domain account, and it must be created by a domain administrator. The gMSA extends the functionality of the MSA to cover multiple computer accounts. The gMSA can be very useful for clustered SQL Servers environments. Group Managed Service Accounts are available for Windows Server 2012 and later.

  • Local System account

    This is the highest privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. The actual name of the account is .\LocalSystem.

    Caution: Avoid using the Local System account for interface services. The Local System account has higher privileges than administrator accounts.

Security for service account types can be grouped by the level of security they offer:

  • Most-secure account types

    • Non-administrative local account

    • Non-administrative domain account

    • Built-in Local Service account

    • Built-in Network Service account

    • Built-in virtual service account

    • Managed Service Account

  • Less-secure account types

    • Administrative local account

    • Administrative domain account

  • Least-secure account type

    • Built-in Local System account

      Note: Local and user-domain accounts have password administration issues that require additional security considerations, which are not discussed in this document.

TitleResults for “How to create a CRG?”Also Available in