How to create application user in Active Directory

In one of my earlier post https://www.wojcieh.net/vcenter-server-5-5-on-sql-server-2012-installation-part-2/ I was asked how to create application user in Active Directory.

In few steps, I will explain how to do it and I will show you how to use it.

Why do we use application users at all?

There are several reason to create such users in Active Directory:

  • User isolation, each application user is used for one and only application/service
  • User has stronger password than normal users – it is more secure
  • Services which are using such user are easier to manage

How to create application user?

It is a very easy task. Create desired user in Active Directory like any other users. I suggest to create and follow username scheme – for example, you can use app-username, ap-username or application-name as username.

After a user is created set a long and difficult password and store it securely. A second thing you have to do is to grant application user rights to start service. You can do it by editing Local Group Policy. Click Start \  Run \ gpedit.msc that you can change the desired service to be managed by the application user.

Navigate to Local Computer Policy Windows Settings Security Settings Local Policies 

How to create application user in Active Directory - 1

Click Logon as a service and provide desired application username.
How to create application user in Active Directory - 2

Application user security – word of advice

After you successfully started service as application user I suggest doing the following to keep your environment secure.

  • Store application user password securely
  • Don’t use the same username for more than one service.
  • Create new Group Policy which denies your application user to login locally and through Remote Desktop Service (RDP).
    • You can do it simply by clicking in Group Policy Management console by clicking Create a GPO in this domain, and link it here.
      How to create application user in Active Directory - 3
    • Provide GPO name
      How to create application user in Active Directory - 4
    • Click Edit
      How to create application user in Active Directory - 5
    • Navigate to Computer Configuration \ PoliciesWindows Settings Security Settings Local Policies and set values for Deny log on locally and Deny log on through Remote Desktop Services for application accounts.
      How to create application user in Active Directory - 6
    • After that run gpupdate /force on servers to refresh policy immediately or wait until it will be applied globally.

Social Media

Wojciech Marusiak

Cloud Solution Architect at Microsoft
I am an innovative and experienced IT professional with over 13 years in the IT industry.

My experience and skills have been proven by leading vendor certifications like AWS, Alibaba Cloud, VMware, and Microsoft. I contribute to the IT community and I received VMware vExpert 2014 - 2019, vExpert Pro and VMware vExpert NSX 2017 Award.

My blog wojcieh.net - was voted #76 in Top vBlog 2018 contest!

Do what you love, and you’ll never work another day in your life.
Wojciech Marusiak
Social Media

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Pingback: MSA (Managed Service Account) and its younger brother gMSA | Out-Null

  2. Pingback: vCenter 5.5 on Windows Server 2012 R2 with SQL Server 2014 - Part 1 | w o j c i e h . n e t

  3. “After that run gpoupdate /force on servers to refresh policy immediately or wait until it will be applied globally.”

    Literówka.
    gpupdate.

  4. Pingback: VMware vCenter Server 6 on Windows Server 2012 R2 with Microsoft SQL Server 2014 - Part 3