Windows 2008 Local System vs Administrator Account

I'm trying to understand the differences between the Local System vs Administrator account. Which has more rights? When would I want to use one over the other
LVL 20
compdigit44Asked:
Who is Participating?
 
S00007359Connect With a Mentor Cloud Engineering OfficerCommented:
How to gain access to system account the most powerful account in Windows.

There is an account in Microsoft Windows that is more powerful than the Administrator account in Windows Operating Systems. That account is called System account it is similar to the root OR super user in the Linux/Unix world . I will show you how to access this system account in this article.
 
You can use this facility for removing programs that are causing problems to your system, malware etc.
 
Introduction
 
If you look at the task manager (which can be launched by pressing [CTRL]+[ALT]+[DEL]) you will see some processes that are running with System level privileges. Even the Administrator account is unable to do some of the things a system account can do.
 
System is the highest account in Windows (like root),You can be a super power user by accessing the system account (even while you are logged in as a restricted user)
 
Note: Accessing system account may cause serious problems.
 Leave this tread and don’t follow the rest of this topic
 if you don’t know what you are doing. I am not liable for any problems caused by accessing the system account
 
Local system differs from an administrator account in that it has
 full control of the operating system, similar to root on a Unix
 machine. Most system processes are required by the operating
 system, and cannot be closed, even by an administrator account;
 attempting to close them will result in an error message.
 In Windows NT and later systems derived from it (windows 2000,
 Windows XP, Windows servers 2003 and Windows Vista), there may
 or may not be a superuser. By default, there is a superuser named
 Administrator, although it is not an exact analogy of the Unix
 root superuser account. Administrator does not have all the
 privileges of root because some superuser privileges are assigned
 to the Local System account in windows NT/XP.
 What you gain by accessing System account?
 Local privilege escalation is useful on any system that a hacker
 may compromise; the system account allows for several other
 things that aren’t normally possible (you can reset passwords, resetting administrator passwords is also possible)
 You can even login to System and lock administrator account out by
 editing group policy or other tools in windows.
 How to access System:
 Note : Don’t follow the procedure bellow if you don’t know what you
 are doing. You may harm your PC. If you follow, Do it on your own risk.
 1.Check the name of the account you’ve logged into (Click start. You
 will see the name of the account you’ve logged in.)
 2.Launch the command prompt. (Start | Run | cmd | [Enter] )
 in command prompt, create a schedule to run cmd.exe.
 To create a schedule type the following line and hit enter.
 at 10:41 /interactive “cmd.exe”
 this will create a schedule to run cmd.exe at 10:41.
 (Since you are testing, check the time in your system try and add two or three minutes.)Change this time according to your local time
 Hint: you can check if the schedule is placed by typing “at“
 and hitting enter after the above step.
 3.Wait for the time you set for the schedule.
 cmd.exe would be launched at the specified time.
 4.After cmd.exe is launched by the scheduled time, press [CTRL] + [ALT] + [DEL] and launch task manager.
 Select “Process” tab, select explorer.exe in the process list and click “End Process” button.
 You will receive a confirmation dialogue. Click “Yes” to end the process.
 5.Close task manager by clicking the close (X) button.
 Close the first cmd window (be careful to close the first one not the second one.)
 6.Now you have only the second command prompt window and an empty desktop.
 In command prompt type the following line and hit “Enter”
 cd ..
 7.In command prompt type the following line and hit “Enter”
 explorer.exe
 If this is the first time you do it, windows creates the necessary
 components for you to access System ( Desktop, start menu,
 My document)
 when it’s finished you will have a new desktop.
 8.Close command prompt window. Click start and check your username.
 It’s changed to System.
 Now you are a super-power user. Be careful not to harm your PC and delete or modify system files if you don’t know what you are doing.
 
Am once again saying, don’t attempt accessing system account, unless you are an experienced Windows user.
0
 
SandeshdubeySenior Server EngineerCommented:
Difference Between Local System account and Administrator.
https://msdn2.microsoft.com/en-us/library/ms684190.aspx

The LocalSystem account is an account used by the system in executing
processes and whatnot. In the Windows security architecture, everything
uses an account on the system for something (this is why Internet
Information Server does not allow the use of permissions based on a
..htaccess file like Unix webservers do--all security is handled by an
account).

Most services that run on a Windows machine run as the LocalSystem user,
though some services (typically third-party services) may need to run as
another user, particularly if they access other computers on the network
(such as backup applications).

Here are a couple of links:
http://support.microsoft.com/kb/q120929/
https://msdn2.microsoft.com/en-us/library/ms684190.aspx
http://www.serverwatch.com/tutorials...le.php/2178901

Hope that helps!

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
chakkoCommented:
Local System has more privileges than Administrator

Here is some info on it

http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190%28v=vs.85%29.aspx

In General, if you are installing software and need to specify a service account I would use Administrator (or a Domain Admin level Account depending on if it needs network access).
0
 
compdigit44Author Commented:
Great articles everyone... I guess I was confused becuase one of are vendors recommed that we switch a service account on a service from local system to administrator on a 2008 R2 server is order for a install to complete. According to these articles going from local system to administrator is a downgrade in premissions correct
0
 
S00007359Cloud Engineering OfficerCommented:
best to stick to vendor recomendations, and screw up your system with local system account settings. cheers
0
 
compdigit44Author Commented:
S00007359, great responces!!!

in your first responce, why do you have to schedule cmd.exe to run via a schedule task in order to access the local system account. I'm a little confused on this part.
0
 
compdigit44Author Commented:
I tried to schedule the CMD to run on my Winodws 7 workstation but it stated that do to secutity restriotion is won't run?????

How can you access the local system account in Windows 7
0
 
S00007359Cloud Engineering OfficerCommented:
Re:
"in your first responce, why do you have to schedule cmd.exe to run via a schedule task in order to access the local system account. I'm a little confused on this part. "

answer: it's got to timing,

in windows 7, you'll have to run with elevated system rights or disable uaser access control.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.