Assigning Permissions to a Service

Posted on 2007-08-01
Medium Priority
Last Modified: 2013-12-04

I've got a Windows 2003 server called dotmap that runs a Windows service called MapServ under the LOCAL SERVICE user account. The service needs to work with MS Access files on a server called mapfs. In order to lock the Access files on the mapfs machine to read, the service needs to have file creation access to the directory in order to create the Access lock files (.ldb).

My question is, how would I best assign file creation permissions for a LOCAL SERVICE account on one machine to a directory on another machine? Should I have the service run under a domain account name and give that domain account the necessary permission?

I'd rather not create an AD account just for a service if I can avoid it...

Question by:gis-jedi
LVL 30

Accepted Solution

LauraEHunterMVP earned 2000 total points
ID: 19613408
LocalService means precisely that: this account has no rights outside of the physical box that it resides on.  Short of a dedicated service account, have you tried using Network Service as described here: http://support.microsoft.com/kb/812519 ?

Author Comment

ID: 19613554
I'm aware that LocalService is a local built-in account. A Network Service is more along the lines of what I was looking for. I appreciate your pointing this out.

For those who are interested, I found this MS explanation very helpful:

(From http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/default.mspx)

Services, like users, require a means of authentication to use computer or network resources. Prior to the release of the Windows 2000 operating system, services that accessed resources on a network were required to use a domain user account to authenticate themselves to each remote server they used, because the Local System account could not authenticate across the network. With the release of Windows 2000, the Local System account was modified to allow authentication to network resources, just like domain user accountsbut it uses computer credentials for authentication instead. Remember, a computer account is essentially just a user account that does not have the UserAccountControl attribute, so computer accounts can log on and access resources just like a user account can. Because of these changes, the Local System account became one of the more common accounts to use for service deployment. With the release of Windows Server 2003, the situation changed again when two new built-in account types similar to Local System were added: the Network Service account and the Local Service account.

The new Network Service account also uses the computer's credentials when it authenticates remotely, but has a greatly reduced privilege level on the server itself and, therefore, does not have local administrator privileges. The new Local Service account has the same reduced privileges as the Network Service account, but as the name suggests, it does not have the ability to authenticate to network resources.

Thanks again Laura.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question