Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Windows 2008 Local System vs Administrator Account

Posted on 2011-10-29
9
Medium Priority
?
2,717 Views
Last Modified: 2012-05-12
I'm trying to understand the differences between the Local System vs Administrator account. Which has more rights? When would I want to use one over the other
0
Comment
Question by:compdigit44
9 Comments
 
LVL 12

Accepted Solution

by:
S00007359 earned 2000 total points
ID: 37051950
How to gain access to system account the most powerful account in Windows.

There is an account in Microsoft Windows that is more powerful than the Administrator account in Windows Operating Systems. That account is called System account it is similar to the root OR super user in the Linux/Unix world . I will show you how to access this system account in this article.
 
You can use this facility for removing programs that are causing problems to your system, malware etc.
 
Introduction
 
If you look at the task manager (which can be launched by pressing [CTRL]+[ALT]+[DEL]) you will see some processes that are running with System level privileges. Even the Administrator account is unable to do some of the things a system account can do.
 
System is the highest account in Windows (like root),You can be a super power user by accessing the system account (even while you are logged in as a restricted user)
 
Note: Accessing system account may cause serious problems.
 Leave this tread and don’t follow the rest of this topic
 if you don’t know what you are doing. I am not liable for any problems caused by accessing the system account
 
Local system differs from an administrator account in that it has
 full control of the operating system, similar to root on a Unix
 machine. Most system processes are required by the operating
 system, and cannot be closed, even by an administrator account;
 attempting to close them will result in an error message.
 In Windows NT and later systems derived from it (windows 2000,
 Windows XP, Windows servers 2003 and Windows Vista), there may
 or may not be a superuser. By default, there is a superuser named
 Administrator, although it is not an exact analogy of the Unix
 root superuser account. Administrator does not have all the
 privileges of root because some superuser privileges are assigned
 to the Local System account in windows NT/XP.
 What you gain by accessing System account?
 Local privilege escalation is useful on any system that a hacker
 may compromise; the system account allows for several other
 things that aren’t normally possible (you can reset passwords, resetting administrator passwords is also possible)
 You can even login to System and lock administrator account out by
 editing group policy or other tools in windows.
 How to access System:
 Note : Don’t follow the procedure bellow if you don’t know what you
 are doing. You may harm your PC. If you follow, Do it on your own risk.
 1.Check the name of the account you’ve logged into (Click start. You
 will see the name of the account you’ve logged in.)
 2.Launch the command prompt. (Start | Run | cmd | [Enter] )
 in command prompt, create a schedule to run cmd.exe.
 To create a schedule type the following line and hit enter.
 at 10:41 /interactive “cmd.exe”
 this will create a schedule to run cmd.exe at 10:41.
 (Since you are testing, check the time in your system try and add two or three minutes.)Change this time according to your local time
 Hint: you can check if the schedule is placed by typing “at“
 and hitting enter after the above step.
 3.Wait for the time you set for the schedule.
 cmd.exe would be launched at the specified time.
 4.After cmd.exe is launched by the scheduled time, press [CTRL] + [ALT] + [DEL] and launch task manager.
 Select “Process” tab, select explorer.exe in the process list and click “End Process” button.
 You will receive a confirmation dialogue. Click “Yes” to end the process.
 5.Close task manager by clicking the close (X) button.
 Close the first cmd window (be careful to close the first one not the second one.)
 6.Now you have only the second command prompt window and an empty desktop.
 In command prompt type the following line and hit “Enter”
 cd ..
 7.In command prompt type the following line and hit “Enter”
 explorer.exe
 If this is the first time you do it, windows creates the necessary
 components for you to access System ( Desktop, start menu,
 My document)
 when it’s finished you will have a new desktop.
 8.Close command prompt window. Click start and check your username.
 It’s changed to System.
 Now you are a super-power user. Be careful not to harm your PC and delete or modify system files if you don’t know what you are doing.
 
Am once again saying, don’t attempt accessing system account, unless you are an experienced Windows user.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 37051952
Difference Between Local System account and Administrator.
https://msdn2.microsoft.com/en-us/library/ms684190.aspx

The LocalSystem account is an account used by the system in executing
processes and whatnot. In the Windows security architecture, everything
uses an account on the system for something (this is why Internet
Information Server does not allow the use of permissions based on a
..htaccess file like Unix webservers do--all security is handled by an
account).

Most services that run on a Windows machine run as the LocalSystem user,
though some services (typically third-party services) may need to run as
another user, particularly if they access other computers on the network
(such as backup applications).

Here are a couple of links:
http://support.microsoft.com/kb/q120929/
https://msdn2.microsoft.com/en-us/library/ms684190.aspx
http://www.serverwatch.com/tutorials...le.php/2178901

Hope that helps!

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 22

Expert Comment

by:chakko
ID: 37051957
Local System has more privileges than Administrator

Here is some info on it

http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190%28v=vs.85%29.aspx

In General, if you are installing software and need to specify a service account I would use Administrator (or a Domain Admin level Account depending on if it needs network access).
0
 
LVL 20

Author Comment

by:compdigit44
ID: 37053107
Great articles everyone... I guess I was confused becuase one of are vendors recommed that we switch a service account on a service from local system to administrator on a 2008 R2 server is order for a install to complete. According to these articles going from local system to administrator is a downgrade in premissions correct
0
 
LVL 12

Expert Comment

by:S00007359
ID: 37053650
best to stick to vendor recomendations, and screw up your system with local system account settings. cheers
0
 
LVL 20

Author Comment

by:compdigit44
ID: 37057645
S00007359, great responces!!!

in your first responce, why do you have to schedule cmd.exe to run via a schedule task in order to access the local system account. I'm a little confused on this part.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 37070889
I tried to schedule the CMD to run on my Winodws 7 workstation but it stated that do to secutity restriotion is won't run?????

How can you access the local system account in Windows 7
0
 
LVL 12

Expert Comment

by:S00007359
ID: 37096907
Re:
"in your first responce, why do you have to schedule cmd.exe to run via a schedule task in order to access the local system account. I'm a little confused on this part. "

answer: it's got to timing,

in windows 7, you'll have to run with elevated system rights or disable uaser access control.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question