Directory Services

Logon Account Maintenance Tasks

There are two primary issues that concern logon account maintenance tasks:

The latter is a rare case, but can happen. The system provides the Computer Management administrative tool that enables change to a service logon account. In addition, other applications can use the ChangeServiceConfig function to specify a new logon account for an installed service. By default, local administrator privileges are required to change a service account. If this did happen, it could affect your service in two ways:

One approach is to have the service installer store the registered SPNs for each service instance in the registry on the host computer. You could use the same registry key under HKEY_LOCAL_MACHINE that you used to store the binding string for the service's SCP. When the service starts, it calls the QueryServiceConfig function to determine its logon account and then queries Active Directory to determine whether the SPNs are registered on the directory object for that account. If the SPNs are not registered, or are registered on the wrong account, the service refuses to start and displays a message saying that a domain administrator must run the service's configuration program to update the logon account settings. Be aware that this reconfiguration must be completed by an administrator because the service account should not have access to update its own SPN. Also be aware that SPNs must be removed from the old account, otherwise the SPNs will be useless for authentication because they are not unique in the forest.