Active Directory Accounts Needed at Onboarding

SVCRemoteAdmin

Login account that Collabrance technicians will use. This is a Domain Admin Account. Service Providers should not know the password to this account. This account can be created and used by Service Providers during the Discovery phase. If the customer decides to continue with services, at this point, Collabrance would change the password and take ownership of this account. Service Providers should, at this time, create their own user account(s). See below for Accounts Required for Service Providers.

SVCNetworkProbe

Account will run the Windows Software Probe Service and the N-able Patch Repository Service at this time. This is a Domain Admin Account. It may also run other Collabrance service accounts as needed. The password for this account will be auto-generated and 10 Characters in length. The password will not be recorded. If a need arises where the password requires a change or reset, a new password will be auto-generated. Since the password will not be recorded, no one will be able to logon as this account. Any noted logons in the event logs would only be the service(s) doing its routines.

SVCFortinet

Account will run the Fortinet Single Service Logon Agent Service on all Domain Controllers. This is a Domain Admin account. It will also be used on the Fortinet Appliance, so the appliance can interact with Active Directory. The password for this account will be auto-generated and 10 Characters in length. The password will not be recorded. If a need arises where the password requires a change or reset, a new password will be auto-generated. Since the password will not be recorded, no one will be able to logon as this account. Any noted logons in the event logs would only be the service(s) doing its routines.

NOTE: Other service accounts may be introduced in the future as needed. We will always strive to minimize the number of accounts needed, and will attempt to keep it to these 3.

NOTE: If we do need to create an account it will be prefaced with “SVC” for standards and easy removal if needed.

Each Service Provider will need a user account(s) to log into client machines. The username(s) and password(s) will be separate from the above Collabrance user accounts. Collabrance should not know the password to the account(s). We would recommend that Service Providers use a standard naming convention as noted above.

As a best practice, services that require user accounts in order to function should NOT be “administrator” or any of the Collabrance or Service Provider user accounts. If this is the case, a plan should be developed with the customer and the software provider to rectify this. In order to provide Service Desk support and proper monitoring, Collabrance will need to know the usernames and passwords for other service accounts OR have a viable alternative readily available.

Requiring a User Account to be logged on is NOT a best practice, but may be unavoidable for poorly written applications. Should an account be required to be logged on, the related service account should be used. Administrator and the above accounts should NOT serve the function of being required to be logged on. All of the accounts created for the purpose of Collabrance or for Service Provider use should always be able to logoff the system.

We will NOT be attempting to change any services using accounts other than ones for Collabrance tools. We will NOT be changing any SQL user accounts. We will NOT be changing the Administrator password. We recommend as a best practice that the Administrator account be disabled. However, proper research, planning and implementation are required before making this change.

NOTE: These processes are NOT designed for Workgroup environments. Workgroups provide a unique challenge and will require more preparation to facilitate a move to this process.