IT:AD:Service Accounts

LocalSystem

A predefined local account used by the service control manager.

It preferable to use LocalService/ or NetworkService/ than the much more powerful LocalSystem service account.

It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects.

It is not recognized by the security subsystem.

It's SID: S-1-5-18

Has a UserProfile. Located at (either?) of:

  • C:\Windows\System32\config\systemprofile
  • C:\Windows\SysWOW64\config\systemprofile

>I found that for Jenkins running on WS2008SP2, it was looking at the SysWOW64. No idea why/how.

Note the difference in naming: LocalSystem (all powerful on the local system), versus LocalService/NetworkService for running Services with less powers.

LocalService

A predefined local account used by the service control manager.

It preferable to use LocalService or NetworkService/ than the much more powerful LocalSystem/

It has minimum privileges on the local computer. Basically the same authority as an unprivileged user account.

Presents anonymous credentials on the network (unlike NetworkService/ which presents the computer's credentials to the remote server).

It is not recognized by the security subsystem.

It's SID: S-1-5-19

It's %userprofile% is at: C:\Windows\ServiceProfiles\LocalService

NetworkService

A predefined local account used by the service control manager.

It preferable to use LocalService/ or NetworkService than the much more powerful LocalSystem/

It has minimum privileges on the local computer. Basically the same authority as an unprivileged user account.

Presents the computer's credentials (not user's credentials) to remote servers, in order to act as the computer on the network (contrast that to LocalService/ which presents anonymous credentials to the remote server.

For instance, if the service on acmeserver1 tries to access a shared folder on acme\server2, server2 will allow or deny access based on the permissions server1 has to the folder.

This account is not recognized by the security subsystem.

It's SID: S-1-5-20

It's %userprofile% is at: C:\Windows\ServiceProfiles\LocalService