LocalSystem==root, LocalService==nobody
This one is, unfortunately, very easy to get wrong, and lots of people do, even those inside MSFT. It came up when I was reading a recent post from the great Jeff Atwood, where he gets it backwards, thinking the Local System account is limited, when it's anything but.
Note that the service is running under the Local System account, which has extremely limited permissions. Normally, this is OK, but if you plan to implement any Subversion hook scripts later, you'll want to switch the service identity to another account with more permissions.
The names for these 2 accounts are painfully similar, which IMHO is likely the main cause of confusion. Something called "Limited Service" would have more clearly identified that 1) it's of limited permissions and 2) it's (still) targeted for use by services. Ah, well. That ship... it has sailed.
One advantage of running under the LocalSystem account is that the service has complete unrestricted access to local resources. This is also the disadvantage of LocalSystem because a LocalSystem service can do things that would bring down the entire system.
[LocalService] has minimum privileges on the local computer and presents anonymous credentials on the network.
Comments
- Anonymous
April 06, 2008
La differenza tra LocalSystem e LocalService...