gis-jedi
asked on
Assigning Permissions to a Service
Hi,
I've got a Windows 2003 server called dotmap that runs a Windows service called MapServ under the LOCAL SERVICE user account. The service needs to work with MS Access files on a server called mapfs. In order to lock the Access files on the mapfs machine to read, the service needs to have file creation access to the directory in order to create the Access lock files (.ldb).
My question is, how would I best assign file creation permissions for a LOCAL SERVICE account on one machine to a directory on another machine? Should I have the service run under a domain account name and give that domain account the necessary permission?
I'd rather not create an AD account just for a service if I can avoid it...
Thanks!
I've got a Windows 2003 server called dotmap that runs a Windows service called MapServ under the LOCAL SERVICE user account. The service needs to work with MS Access files on a server called mapfs. In order to lock the Access files on the mapfs machine to read, the service needs to have file creation access to the directory in order to create the Access lock files (.ldb).
My question is, how would I best assign file creation permissions for a LOCAL SERVICE account on one machine to a directory on another machine? Should I have the service run under a domain account name and give that domain account the necessary permission?
I'd rather not create an AD account just for a service if I can avoid it...
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For those who are interested, I found this MS explanation very helpful:
--------------------------
(From http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/default.mspx)
Services, like users, require a means of authentication to use computer or network resources. Prior to the release of the Windows 2000 operating system, services that accessed resources on a network were required to use a domain user account to authenticate themselves to each remote server they used, because the Local System account could not authenticate across the network. With the release of Windows 2000, the Local System account was modified to allow authentication to network resources, just like domain user accountsbut it uses computer credentials for authentication instead. Remember, a computer account is essentially just a user account that does not have the UserAccountControl attribute, so computer accounts can log on and access resources just like a user account can. Because of these changes, the Local System account became one of the more common accounts to use for service deployment. With the release of Windows Server 2003, the situation changed again when two new built-in account types similar to Local System were added: the Network Service account and the Local Service account.
The new Network Service account also uses the computer's credentials when it authenticates remotely, but has a greatly reduced privilege level on the server itself and, therefore, does not have local administrator privileges. The new Local Service account has the same reduced privileges as the Network Service account, but as the name suggests, it does not have the ability to authenticate to network resources.
--------------------------
Thanks again Laura.