All: To piggyback off of my last question, we are now looking at a way to manage more granularly the resource/service accounts in our AD. What I mean by that is that we want to be able to:
1. Limit the systems that a resource account can log in to. 2. Keep resource / service accounts from sprawling to other applications that we are unaware of.
We have lifetimes assigned by our Identity Management system for resource accounts so that we don’t have these abandoned accounts existing forever. There are times when a resource account has exceeded its lifetime and has not been renewed in time before being disabled. When the account is disabled, obviously the services that were using this resource account fail. If a resource account is used and re-used for many, many applications then the effect can be pretty bad.
As well, we are unable to know all of the applications that are implemented on our network if resource accounts can be used for multiple applications.
Is there a tool that can help us limit the ability for resource accounts to authenticate to anything that is not authorized or approved? I do realize there is an ability to set the “Log Into” setting on the account itself but it would be helpful to have the ability for a self-service registration such that the application owners can authorize the account on more IP/Machines and provide us with visibility of what a resource account is used for. Brian Britt