windows service(accounttype)

  • Thread starter Thread starter Tony Johansson
  • Start date Start date
T

Tony Johansson

Hello!

The docs for account type LocalSystem says the following.
"Setting this value specifies that the services uses a highly privileged
user account on the local system, but this account presents an anonymous
user to the network. Thus it doesn't have rights on the network."

What does it mean when the text says that this account presents an anonymous
user to the network ?

The docs for account type LocalService says the following.
"Thus account type presents the computer's credentials to any remote
server".
What does that mean ?

//Tony
 
First I'll say that I'm not an expert in this area, so do more research than
just taking my word for it....
The docs for account type LocalSystem says the following.
"Setting this value specifies that the services uses a highly privileged
user account on the local system, but this account presents an anonymous
user to the network. Thus it doesn't have rights on the network."

What does it mean when the text says that this account presents an
anonymous
user to the network ?
Click to expand...

Presenting an anonymous user to the network means that it passes credentials
which are basically null. I don't know if a service running as LocalSystem
would be able to access a share that was mapped to Everyone or not. (Perhaps
things have changed, but I thought Everyone meant just that: everyone who
has access to the physical network, whether authenticated or not.) You could
always test....
The docs for account type LocalService says the following.
"Thus account type presents the computer's credentials to any remote
server".
What does that mean ?
Click to expand...

A computer has an account just like any user has an account. This means that
a SID is associated with the computer. This isn't particularly useful unless
your computer is connected to an Active Directory domain, in which case it
is how AD recognizes your computer. For example, whenever I've gotten a new
computer at work, I've had to ask my IT folks to delete my old computer from
the domain so that when I set up the new computer with the same name it can
be added to the domain.

When you use the LocalService account and it performs actions over the
network (which actually I didn't think was possible and was why the Network
Service account existed!) apparently the credentials that that account uses
are the computer's and not any particular user's.
 
Back
Top