In an organization, firstly you need to identify assets based on the type of server, where each server has a specific role to perform. Server-level roles are server-wide in their permissions scope. You can add server-level principals (server logins, user accounts, and Windows security groups) into server-level roles. Security groups can provide an efficient way to assign access to resources on your network:
- Security groups in Active Directory: User rights are assigned to a security group to determine what members of that group can do within the scope of a domain or forest. For example, default domain admins have full permission on all server parts of that specific domain irrespective of server roles. However, we can create user defined groups and add the required user account to that group to limit access.
- Windows service accounts: There are applications that run on Windows servers that need an account that is specific to that service. A service account helps in solving this problem and acts as a user identity that is associated with a service executable for the purpose of providing a security context for that service.