Post reply

Can the following NT SERVICE accounts be ignored for password rotational purposes

  • September 14, 2017 at 2:49 am

    #339226

    Hi 

    Can the following accounts  be ignored for password rotation;

    NT SERVICE\SQLWriter
    NT SERVICE\Winmgmt
    NT Service\MSSQLSERVER
    NT AUTHORITY\SYSTEM
    NT SERVICE\SQLSERVERAGENT

    They are showing up as logins in various servers and we are auditing logins for password rotation.

    If these can be put on an auditing exemption list for password rotation as I believe they can be,  is anyone aware of some good Microsoft documentation to back up same?

    Thanks in Advance

  • September 14, 2017 at 2:59 am

    #1959381

    caz100 - Thursday, September 14, 2017 2:49 AM

    Hi 

    Can the following accounts  be ignored for password rotation;

    NT SERVICE\SQLWriter
    NT SERVICE\Winmgmt
    NT Service\MSSQLSERVER
    NT AUTHORITY\SYSTEM
    NT SERVICE\SQLSERVERAGENT

    They are showing up as logins in various servers and we are auditing logins for password rotation.

    If these can be put on an auditing exemption list for password rotation as I believe they can be,  is anyone aware of some good Microsoft documentation to back up same?

    Thanks in Advance

    There are all local service accounts that on the server they are on. You can't log in as them, and you won't be able to give them permissions outside of the Server that they are on. If another server has that Service Account, it is a different account (As it has a different SID).

    There is no need to include these in your auditing of logins, as they aren't logins.

    Thom~

    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
    Larnu.uk

  • September 14, 2017 at 6:35 am

    #1959406

    caz100 - Thursday, September 14, 2017 2:49 AM

    Hi 

    Can the following accounts  be ignored for password rotation;

    NT SERVICE\SQLWriter
    NT SERVICE\Winmgmt
    NT Service\MSSQLSERVER
    NT AUTHORITY\SYSTEM
    NT SERVICE\SQLSERVERAGENT

    They are showing up as logins in various servers and we are auditing logins for password rotation.

    If these can be put on an auditing exemption list for password rotation as I believe they can be,  is anyone aware of some good Microsoft documentation to back up same?

    Thanks in Advance

    You can find the documentation through this link:
    Service User Accounts

    There links at the bottom of the document to LocalService, LocalSystem and NetworkSystem. In each of those, it has the line:
    This account does not have a password.

    Sue

  • September 14, 2017 at 7:00 am

    #1959415

    Thanks Thom A for confirming my assumption and thanks Sue_H for backing it up with some good Microsoft links. Much appreciated.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply