Configuring Service Accounts

Microsoft® Windows® 2000 Scripting Guide

« Previous | Next »   

On occasion, you might need to change the account under which a given service runs. For example, you might run a service under an administrative account. Because this can create a security vulnerability, you might switch the service to an account with fewer privileges. Alternatively, you might have services running under an account that is about to be deleted, or you might want to ensure that, on all your servers, certain services run under certain accounts.

You can use the Win32_Service Change method to configure services to run under a specified user account. When selecting an account, keep in mind the following:

• The account being used as a service account must have the right to log on as a service. This right can be granted by using Group Policy.
• The account being used as a service account should not be a member of a local, domain, or enterprise Administrators group.
• Each instance of a service should run under a unique user account. This provides additional security, and enables the auditing of individual service instances.
• If the service is interactive, then the service must run under the LocalSystem account.

  LocalSystem is required because only one window station (WinSta0) can be visible and interactive at a time. If a service runs under an account other than LocalSystem, it runs in the Service-0x03e7$\Default window station, which is an invisible window. Services running in this window station cannot receive input or display output.

Win32_Service properties and methods related to service accounts are shown in Figure 15.4.

Figure 15.4   Win32_Service Account Properties and Methods

Win32_Service Account Properties and Methods

Scripting Steps

Listing 15.20 contains a script that changes the service account for services from running under a specified user account to LocalSystem. To carry out this task, the script must perform the following steps:

1. Create a variable to specify the computer name.
2. Use a GetObject call to connect to the WMI namespace root\cimv2, and set the impersonation level to "impersonate."
3. Use the ExecQuery method to query the Win32_Service class.

   To limit data retrieval to a specific set of services, a Where clause is included that restricts the collection to those services with a ServiceName of .\Netsvc.

   The period and backslash (.\) preceding the account name indicate that the account is a local user account (a second backslash is required whenever a single backslash is used in a query). If the service is running under a domain account, the period is replaced by the domain name (for example, fabrikam\\Netsvc).

4. For each service in the collection, use the Change method to switch the account to LocalSystem.

   Because StartName must be the seventh parameter passed to the Change method, the new account name is preceded by six empty arguments (represented by the six commas). Following StartName, an empty string ("") is used to indicate that the LocalSystem account does not use a password. If LocalSystem did use a password, the password for the account would be listed following StartName.

Listing 15.20   Switching Service Accounts to LocalSystem

1 2 3 4 5 6 7 8 9 

strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colServiceList = objWMIService.ExecQuery _     ("SELECT * FROM Win32_Service WHERE StartName = '.\\NetSvc'") For Each objService in colServices     errServiceChange = objService.Change _         ( , , , , , , ".\LocalSystem" , "") Next

Send us your feedback

« Previous | Next »