Assigning Permissions to a Service

Posted on 2007-08-01
Last Modified: 2013-12-04

I've got a Windows 2003 server called dotmap that runs a Windows service called MapServ under the LOCAL SERVICE user account. The service needs to work with MS Access files on a server called mapfs. In order to lock the Access files on the mapfs machine to read, the service needs to have file creation access to the directory in order to create the Access lock files (.ldb).

My question is, how would I best assign file creation permissions for a LOCAL SERVICE account on one machine to a directory on another machine? Should I have the service run under a domain account name and give that domain account the necessary permission?

I'd rather not create an AD account just for a service if I can avoid it...

Question by:gis-jedi
    LVL 30

    Accepted Solution

    LocalService means precisely that: this account has no rights outside of the physical box that it resides on.  Short of a dedicated service account, have you tried using Network Service as described here: ?
    LVL 6

    Author Comment

    I'm aware that LocalService is a local built-in account. A Network Service is more along the lines of what I was looking for. I appreciate your pointing this out.

    For those who are interested, I found this MS explanation very helpful:


    Services, like users, require a means of authentication to use computer or network resources. Prior to the release of the Windows 2000 operating system, services that accessed resources on a network were required to use a domain user account to authenticate themselves to each remote server they used, because the Local System account could not authenticate across the network. With the release of Windows 2000, the Local System account was modified to allow authentication to network resources, just like domain user accountsbut it uses computer credentials for authentication instead. Remember, a computer account is essentially just a user account that does not have the UserAccountControl attribute, so computer accounts can log on and access resources just like a user account can. Because of these changes, the Local System account became one of the more common accounts to use for service deployment. With the release of Windows Server 2003, the situation changed again when two new built-in account types similar to Local System were added: the Network Service account and the Local Service account.

    The new Network Service account also uses the computer's credentials when it authenticates remotely, but has a greatly reduced privilege level on the server itself and, therefore, does not have local administrator privileges. The new Local Service account has the same reduced privileges as the Network Service account, but as the name suggests, it does not have the ability to authenticate to network resources.

    Thanks again Laura.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Learn about cloud computing and its benefits for small business owners.
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now