Home / server / Questions / 248439
In Process
smwikipedia
Asked: 2011-03-17 21:40:30 +0800 CST

Why can't service account such as Local Service, Network Service, or Local System be managed on a domain level?

  • 772

I read from here that:

On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.

I just don't understand why these accounts cannot be managed on a domain level, since they all have well-known SIDs?

Thanks for your time.

windows windows-server-2008 iis

1 Answers

  1. These are "universal well-known SIDs"; they are the same for every machine and do not have the "domain identifier" component, therefore they cannot be associated with any particular domain. (If they did, joining a machine to a domain would break a lot of stuff, particularly ACLs.)

    For example, a normal user SID looks like S-1-5-21-2814603912-1974576649-1524133500-1001.

    Here, 21 is SECURITY_NT_NON_UNIQUE, 2814603912-1974576649-1524133500 is the domain identifier and 1013 is the relative ID.

    In comparison, LOCAL SYSTEM has the SID S-1-5-18.

    FWIW, these three accounts are not even real accounts in the SAM. They are predefined in Windows itself.

    • 8