Microsoft best practice for service accounts, is use the concept of least permissions for the accounts. In other words, if an account needs to have local administrative rights on a server or desktop, add the account to the local administrators group. Do not make the account a Domain Administrator!
In researching Service Accounts that were in use at my last company, we determined that an account commonly used as a Cluster Service (to administer the server Cluster) account was a Domain Administrator account. The solution, was creation of a standard service account with user level permissions, then adding this user account to the local Administrators group and applying the proper nt rights to the account.
Now, how to automate replacing this account on 60 or more server nodes? We created a package in SMS/SCCM with a command file that accepts the name of the domain user account in the format of domanname\account making the command file generic. After experimentation we found the resource kit utility ntrights.exe could adjust the nt rights (the ones listed below are required for a service account). Just place the ntrights.exe in the same package folder as the cmd file.
Tomorrow's blog will be use of automation to swap out the old service account and adding in the new one.
ntrights-modify-admin.cmd
@echo on
REM Pass DomainName\Account to this cmd file
REM Add account to local administrators group...
NET LocalGroup Administrators %1 /add
REM Assign proper rights to the account...
ntrights +r SeIncreaseQuotaPrivilege -u %1
ntrights +r SeLockMemoryPrivilege -u %1
ntrights +r SeServiceLogonRight -u %1
ntrights +r SeTcbPrivilege -u %1