Run them as local service or network service, worst case local system. I would not ever run a service account as Administrator or Domain Admin on a DC. We stopped doing that years ago, took a while to get there because of some crummy legacy stuff but I wouldn't even consider it today.
From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, June 08, 2010 9:47 AM To: NT System Admin Issues Subject: Service accounts that want local admin How do you guys handle service accounts that seem to need local admin perms on server and workstations - I.e., SMS, anti-virus, etc. we currently have them as domain admins with a "no interactive logon" GPO, but surely there's a better way...the only thing that comes to mind is use GPO to make them local admins on each machine but that's not much improvement for say, a DC right? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
