Share via


LocalSystem==root, LocalService==nobody

This one is, unfortunately, very easy to get wrong, and lots of people do, even those inside MSFT.  It came up when I was reading a recent post from the great Jeff Atwood, where he gets it backwards, thinking the Local System account is limited, when it's anything but.

Note that the service is running under the Local System account, which has extremely limited permissions. Normally, this is OK, but if you plan to implement any Subversion hook scripts later, you'll want to switch the service identity to another account with more permissions.

The names for these 2 accounts are painfully similar, which IMHO is likely the main cause of confusion.  Something called "Limited Service" would have more clearly identified that 1) it's of limited permissions and 2) it's (still) targeted for use by services.  Ah, well.  That ship... it has sailed.

The LocalSystem Account

One advantage of running under the LocalSystem account is that the service has complete unrestricted access to local resources. This is also the disadvantage of LocalSystem because a LocalSystem service can do things that would bring down the entire system.

LocalService Account

[LocalService] has minimum privileges on the local computer and presents anonymous credentials on the network.

Comments

  • Anonymous
    April 06, 2008
    La differenza tra LocalSystem e LocalService...