Local System/Network Service/Local Service permission
1. Local System ):
This account has high-level permissions.
First, this account is also affiliated to the local administrators user group. Therefore, all local administrators can perform operations on this account,
Second, the account can also control the file permissions (NTFS file system) and Registry Permissions, and even occupy the owner permissions to obtain access qualifications.
If the machine is in a domain, services running under the local system account can also be automatically authenticated by other machines in the same forest using the machine account,
The last point is that processes running in the local system can use Null Sessions to access network resources.
In addition, other core components in Windows user mode also run under this account, such as system32 \ smss.exe.
Note that the process running under this account uses the HKEY_USERS \. Default Account configuration, so it cannot access the configurations of other accounts.
For example, the services run with the LocalSystem account mainly include windowsupdate client, ClipBook, COM +, DHCP client, and messenger.
Service, task scheduler, Server Service, Workstation Service, and Windows installer.
2. Network Service ):
This account is also set to use the machine account to authenticate on other computers on the network. But he does not have as many permissions as the local system.
It can access network resources in the name of a computer. Services running in this account will submit access creden。 to remote computers according to the actual environment.
Processes running under this account use the network account profile HKEY_USERS \ S-1-5-20 and Documents and Settings \ NetworkService.
For example, the services run with the network service account mainly include Distributed Transaction Coordinator, DNS client,
Performance Logs and alerts, and RPC Locator.
3. Local Service ):
A local service account is a preset local account with the minimum permissions and has an anonymous identity in the network credential.
Differences between processes running under this account and those running under the network service account
The process running under the local service account can only access network resources that are allowed to be accessed anonymously.
The configuration files used by accounts running under the local service are HKU \ S-1-5-19 and Documents and Settings \ LocalService.
For example, services running with a local service account include Alerter, Remote Registry, smart card, SSDP, and WebClient.
Local System/Network Service/Local Service permission list
1. Local System:
Built-in account, which has a high level of access permissions. If the workflow ID runs as a "Local System" account, the workflow has full access to the entire system.
2. Network Services
The built-in account has fewer System Access Permissions than the "local system" account, but can still interact with the computer account creden。 through the network. For IIS 6.0, we recommend that you run the job ID defined in the application pool as the "Network Service" account. By default, the workflow identity runs as the "Network Service" account.
Default User Permissions:
3. Local Service
The built-in account has fewer computer access permissions than the "Network Service" account, and the user permissions of this account are limited to the local computer. If a worker does not need to access a place outside the server, you can use the local service account. Default User Permissions:
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
