Search code examples
windowsserviceaccounttomcat8

Can an administrator create a Service Account on Window 7 (workstation)?

I want to create a user-account to use as a Service Account or Service User name on Windows 7. For example I made a "tomcat" user for Tomcat -- But that was a quick fix, and I'd like to make it a non-login service account.

When I looked at the Microsoft Management Console / Local Users and Groups I can see the normal login accounts, including a "Tomcat user". And ALSO, a "postgres" username with a description of "service account".

I do not believe this is what Microsoft call a "Service Account" in their server documentation. So what ever postgresql did, I would like to know how to do that too. The postgres user has the following characteristics:

  • Does not appear on the Windows sign-in screen
  • Is not "disabled"
  • User cannot change password (important to stop a 'hack' resetting a password to something else and stealing the account).
  • Does NOT show-up in the usual Admin User Management dialogue(s).
  • Not a member of Users and other more privileged groups.

I'm hoping someone has done this and can point to an explanation.

Failing that, is there a way to turn-off the "tomcat" username on the Windows login screen. Quite frankly that would get me one-step further, though I'd prefer to make a "service account" like the "posgres" username. Many thanks ...w

Solution

  • I have an answer to manually achieve the goal. It turns out to be quite simple if a little opaque imho. There is an advanced User Management tool available from the command line with either:

    • netplwiz, or
    • control userpasswords2

    Access via Control Panel / Administrative Tools, then:

    • Computer Management
      • Local Users and Groups
        • Users folder
          ... lists ALL the users ...
        • postgres (for example)
        • postgres2
        • tomcat

    In my case I wanted tomcat to be a non-login username, similar to postgres user. If you can inspect the properties for the postgres account, you too will notice that the postgres [Member Of] tab is empty, whereas the tomcat [Member Of] tab lists the Users.

    To hide the tomcat username from the sign-on a screen, I selected the Users group name on the [Member Of] tab and pressed the [Remove] button.

    When you log-out and tomcat user is no longer shown as available for log-in. The deed is done.

    Of course you may wish to control the privileges for your particular hidden name, say it tomcat too, this can be done with the Groups and advanced features for the tomcat user.

    My thanks to Chris Hoffman's "10+ Useful System Tools Hidden in Windows" post on How-to-Geek for giving me the idea for how this can be done from the console. For a script or program, you'd need to do the same thing via the available Windows API.

    Also I'd be interested in hearing about how belonging to 'Users' gets your name on the sign-on screen and in the normal Users control panel tool. Happy user administrating.

    reference: