Create a Service Account
Applies To: Windows Server 2003, Windows Server 2003 with SP1
A service account is a user account that is created explicitly to provide a security context for services running on Microsoft® Windows® Server 2003. Application pools use service accounts to assign permissions to Web sites and applications running on Internet Information Services (IIS). Administrators can manage service accounts individually to determine the level of access for each application pool in a distributed environment.
Use Active Directory Users and Computers to create service accounts in the Active Directory® directory service. Use Computer Management to create local service accounts on a local computer.
Requirements
Credentials: Membership in the Administrators group on the local computer.
Tools: Active Directory Users and Computers; Computer Management.
Recommendation
As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type **runas /user:**administrative_accountname mmc %systemroot%\system32\inetsrv\iis.msc.
Procedures
To create a service account in Active Directory
Open Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, double-click the Domain node.
In the Details pane, right-click the organizational unit where you want to add the service account, point to New, and then click User.
In First name, type a first name for the service account.
In Last name, type a last name for the service account.
Modify Full name as desired.
In User logon name, type the name that the service account will log on with and, from the drop-down list, click the UPN suffix that must be appended to the service account logon name (following the @ symbol). Click Next.
In Password and Confirm password, type a password for the service account.
Select the appropriate password options, and then click Next.
Click Finish to complete creating a service account.
To create a service account on the local Web server
Open Administrative Tools, and then click Computer Management.
In the console tree, expand System Tools, expand Local Users and Groups, and then click Users.
On the Action menu, click New User.
Type a User name, Full name, and a Description of the user account.
In Password and Confirm password, type a password for the user account.
Set the user account access by selecting the check box to set the option or clearing the check boxes to remove the option for:
User must change password at next logon
User cannot change password
Password never expires
Account is disabled
Click Create, and then click Close.
To create a service account for IIS_WPG Group
Open Administrative Tools, and then click Computer Management.
In the console tree, expand System Tools, expand Local Users and Groups, and click Groups.
Click the IIS_WPG group and, on the Action menu, click Add to Group.
Under Description, type the name of the account and click Add.
In the Select Users dialog box, click the Object Types button, and select or clear the check box for the object types you want to find. Click OK.
Click the Locations button to select the location of the service account. Click OK.
Enter the name of the object under Enter the object names to select.
Click OK, and then click OK again.