• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

Assigning Permissions to a Service


I've got a Windows 2003 server called dotmap that runs a Windows service called MapServ under the LOCAL SERVICE user account. The service needs to work with MS Access files on a server called mapfs. In order to lock the Access files on the mapfs machine to read, the service needs to have file creation access to the directory in order to create the Access lock files (.ldb).

My question is, how would I best assign file creation permissions for a LOCAL SERVICE account on one machine to a directory on another machine? Should I have the service run under a domain account name and give that domain account the necessary permission?

I'd rather not create an AD account just for a service if I can avoid it...

1 Solution
LocalService means precisely that: this account has no rights outside of the physical box that it resides on.  Short of a dedicated service account, have you tried using Network Service as described here: http://support.microsoft.com/kb/812519 ?
gis-jediAuthor Commented:
I'm aware that LocalService is a local built-in account. A Network Service is more along the lines of what I was looking for. I appreciate your pointing this out.

For those who are interested, I found this MS explanation very helpful:

(From http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/default.mspx)

Services, like users, require a means of authentication to use computer or network resources. Prior to the release of the Windows 2000 operating system, services that accessed resources on a network were required to use a domain user account to authenticate themselves to each remote server they used, because the Local System account could not authenticate across the network. With the release of Windows 2000, the Local System account was modified to allow authentication to network resources, just like domain user accountsbut it uses computer credentials for authentication instead. Remember, a computer account is essentially just a user account that does not have the UserAccountControl attribute, so computer accounts can log on and access resources just like a user account can. Because of these changes, the Local System account became one of the more common accounts to use for service deployment. With the release of Windows Server 2003, the situation changed again when two new built-in account types similar to Local System were added: the Network Service account and the Local Service account.

The new Network Service account also uses the computer's credentials when it authenticates remotely, but has a greatly reduced privilege level on the server itself and, therefore, does not have local administrator privileges. The new Local Service account has the same reduced privileges as the Network Service account, but as the name suggests, it does not have the ability to authenticate to network resources.

Thanks again Laura.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now