About the Local Service Account in Configuration Manager
Microsoft System Center Configuration Manager 2007 uses the Local Service account to run several application pools used by site systems that require Internet Information Services (IIS). The Local Service account is a special built-in account that has reduced privileges similar to an authenticated local user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes.
Required Rights and Permissions
Local Service requires the following rights and permissions on virtual directories in the Web site used by Configuration Manager 2007, either the default Web sit or a custom Web site.
| Virtual Directory | Permissions |
|---|---|
CCM_Client |
Read |
CCM_Incoming |
Local Service requires the following permissions on the virtual directory folder: Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Delete Subfolders and Files Read Permissions Local Service also requires full control on all subfolders and files of the virtual directory folder. |
CCM_Outgoing |
Read |
CCM_System |
List Folder Contents |
CCM_System_WindowsAuth |
List Folder Contents |
SMS_MP |
List Folder Contents |
SMS_SLP |
List Folder Contents |
SMS_FSP |
List Folder Contents |
Account and Password Creation
The account is automatically created as NT AUTHORITY\LocalService, and it does not have a password that an administrator needs to manage.
Account Location
This account is automatically created as a local account on Microsoft Windows Server 2003 and Windows XP operating systems.
Account Maintenance
No maintenance is required for this system account.