In our previous post (ITQ’s End User Portal for System Center Orchestrator (EUPSCO) – Part 2: Prerequisites), we covered setting up/preparing the Prerequisites. In this post we follow Damian Flynn’s steps on the Service Accounts.

The following is a re-write (to accommodate screenshots) from Damian Flynn’s article, with the addition of screenshots by me.


Service Accounts

Since the application is a web app, we need to create a Service Account to use with the Internet Information Services (IIS) Application Pool. Additionally, this Service Account requires additional privileges, since it will interact with Orchestrator and the SQL Server database.

The additional privileges required are as follows:

  • Orchestrator: Administrative Access to Orchestrator
  • Database: Database Owner (DBO) access to the database that will contain the End User Portal configurations

On your Domain Controller, launch Server Manager, and navigate to Tools > Active Directory Users and Computers.

Server Manager - Active Directory Users and Computers

Within Active Directory Users and Computers, locate the applicable/suitable Organizational Unit (OU) to contain the Service Account, then in the menu navigate to Action > New > User.

AD - New User

On the New Object- User dialog, fill in the Full Name, and User Logon Name fields, then press Next. In my example I am using “EUPSCO_AppPool”.

AD - New Object - User 01

On the next screen, provide a password that meets your security criteria, and also ensure that “User must change password at next logon” is NOT selected, and “User cannot change password” and “Password never expires” are both selected (depending on your security requirements), then click Next.

AD - New Object - User 02

On the final screen in the New Object – User dialog, review the information displayed, then click Finish.

AD - New Object - User 03

Now that we have the Service Account created, we need to add it to the group (defined during the installation of Orchestrator) for Orchestrator Administrators. In my lab example, I called this group “SCORCH Admins”.

Right-click on your newly created Service Account and choose ‘Add To A Group‘.

Account - Add To A Group

On the Select Group dialog, type the name of the Security Group that you created for the Orchestrator Administrators, click Check Names to ensure the group is properly referenced, then click OK.

Account - Add To A Group - Select Groups

You will receive a confirmation message, click OK.

Account - Add To A Group - Completed

If you open the Properties for the Service Account (by right-clicking the account and choosing Properties; or by double-clicking on the account itself), and navigate to the “Member Of” tab, you will see the Security Group present.

Account - Properties - Member Of

This completes the creation of the End User Portal Service Account, and partial configuration of the access required. If you recall, we also need to grant the account appropriate access to the database. However, we have not created it yet. This additional access will be addressed in the Database post.

In our next post, we will discuss the Database(s) required.