Question
Is there a "correct" / standard way to distinguish Service Accounts
from User Accounts
in AD?
More Info
In certain scenarios we have systems running under AD Credentials (i.e. under a Service Account). These Service Accounts are created in exactly the same way as user accounts; the only difference being the name and description. A few things have been done to make a distinction between the two account types (e.g. which OU the account is in, whether "password never expires" is enabled, if "service account" is in the description), but there's no one rule which can be applied to everything to clearly distinguish between the two.
Going forwards we're looking to improve this / spring clean things to make a distinction clear. We'll likely use both the OU and Description fields for this purpose.
Before doing this though I wanted to check; is the a way in which this should be done; i.e. some attribute specifically for this purpose (maybe an objectCategory value different to Person?), or a recognised standard naming convention, or does each company figure out their own approach?
I've not seen anything that could be construed as an 'official' standard. What I've typically done is used a standard naming prefix as well as keeping them in an OU. You could use the Description field or the Department field as well for an easy sort/select.
There is no "official" solution to this issue, nor any specific AD attribute meant to convey "this is a service account". Various places uses various techniques, which may include OUs, groups, descriptions, name prefixes, and so on; but it really is only a cosmetic distinction: service accounts are the exact same objects as user accounts.
Microsoft Active Directory uses the objectCategory attribute like a programming language might define a "class". By default, users have "objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mydomain,dc=com". You could override this with another DN, like account or posixAccount.