Securing Service Accounts - Good Practices

["David Tobias" <DTobias () Keenan com>]

I'm interested in obtaining some information either from users personal
recommendations or from authorized sources on the subject in regards to
what are the good practices for creating, managing, and securing service
account created in Active Directory. I will give you a scenario that I
have gotten involved in:

I have been working with a company now for a few years, mostly in a
helpdesk style support role, but have worked my way up within the
company in helping with certain responsibilities pertaining to security
which I enjoy. Getting back to the question at hand, it would appear
that previous administrators with the company when being handed the task
of creating service accounts for several of our applications and
appliances decided to take the easy route (of course, also the most
insecure) and assign domain admin privileges to most of these accounts.
Needless to say, when I learned of this, I was pretty shocked as to why
these accounts would be granted such elevated privileges and have
unfiltered access to Active Directory to perform a role that was not in
need of such rights. 

We have been tasked with limiting our domain admin group to only
specific infrastructure individuals who need it and removing the service
accounts from this group. The problem we are foreseeing is once we
remove the service accounts from full access privileges, we are
expecting several routines that they were performing to fail. 

The grand question here is what is the best practices/guidelines when
encountering this type of solution. Do we remove each service account,
one by one, waiting to see what, if anything, fails and then decide how
to give rights to that account? What about in the future, when creating
and securing new accounts...what are the best guidelines and practices
to go by?

Thanks
-Dave