Re: local admin security question

From: Joe Kaplan \(MVP - ADSI\) (
Date: 04/06/05

Date: Tue, 5 Apr 2005 19:53:02 -0500

If you are deploying to 2003, why not try using the NETWORK SERVICE account?
It is essentially a local user in terms of permissions, but uses the
computer's account for network credentials. If you don't need network
credentials, you can use LOCAL SERVICE.

If there is an internationalization issue related to the names of these
accounts, it seems like using the SIDs to reference them would be the way to
go. However, I know very little about MSI or internationalization, so I
can't help too much with any details there.

Joe K.

"Jeff Pigott" <> wrote in message
> Our app doesn't require it, we are just having problems with Systems that
> do not use English on the initial install during the Windows 2003 Server
> install. They install it as Spansh, and our Windows Service need to use a
> regional setting of English. So we found out we need to use a user account
> vs. a "local admin" account. Are there any whitepapers on locking a user
> account down just to a Windows Service?
> ---------
> "Joe Kaplan (MVP - ADSI)" <> wrote
> in message news:%23$FySuiOFHA.580@TK2MSFTNGP15.phx.gbl...
>> If you are concerned about security, then it is probably best to avoid
>> using an account that has admin privileges at all. Does your app
>> absolutely require that?
>> The question of local account vs. domain account depends on whether the
>> service needs to access domain resources on the network.
>> If you really need admin privileges and only need a local machine
>> account, then creating a different user is probably a good idea because
>> then you can change the regular administrator password easily without
>> breaking your service.
>> Joe K.
>> "Jeff Pigott" <> wrote in message
>> news:um%23sOYiOFHA.3512@TK2MSFTNGP15.phx.gbl...
>>> Can anyone suggest whether to use Local Admin service as a Windows
>>> service account for our .NET ADO applicaiton or create a user with Admin
>>> privledges to use for this account?
>>> Is one better than the other?
>>> Thanks,
>>> Jeff

Relevant Pages

  • Re: Windows Service Cannot Move Files
    ... dermot ha scritto: ... I actually changed the account that starts it to a domain admin ... XP there is a network version of the system account you can use. ... why windows service cannot do the same. ...
  • Re: What replaces the SMS legacy software installation account?
    ... There is no replacement for SW Install ... LocalSystem account is a security principal. ... > Client Network Access account is no replacement for the Legacy Client ... > SMS 2003 there is no access to the files on the network share. ...
  • Re: Can Service access networked computer while logged off?
    ... I think it is Yes only if the network is a workgroup. ... "Randy" wrote in message ... be it local account or domain account. ... To access files on a networkshare, you need to run the windows service with a domain account that has the permission to that networkshare. ...
  • Re: File/Print share workgroup on ME and XP machines
    ... > box came up during the install of the router (which I did before I ... right-click on the icon for My Network Places ... Now if you want to automatically log onto ME with that user account ... I believe after you install TweakUI for ME it will show up as a Control ...
    ... SYSTEM account in terms of the credentials it uses on the network. ... hitting a SQL Server on the same machine as the web app. ...