Securing service accounts?

[Guest UselessUser]

Hi,

 

I am in an area that has a lot of service accounts such as Blackberry, and a

lot of multi function printers that are setup with a AD username and password

so that users scan documents and they appear in one of their mapped shares..

 

How can I secure these accounts as much as possible... I have seen various

options such as stopping logging on etc, but does doing this stop these

accounts from doing their job...

 

For example, the log on locally option looks like a good bet, by denying

logon locally for all the service accounts (Putting them in a group), would

this prevent these accounts from accessing shares like the MFP's need to etc..

 

Wonder what others do here?