Exploring the merits and demerits of the Local System Account is essential for effective computer system management. This account type has its own strengths and weaknesses, which impact system performance and security. By understanding these pros and cons, administrators can make better choices when setting up their computer systems.
For related guides see: Local System Account: Running Programs in Windows, Resolve Account restrictions are preventing this user from signing in. and Configure Local Administrators Account lockout.
Why use it?
One advantage of running your services using the Local System account is that the service has complete unrestricted access to local resources. And it is by default one of the built-in local accounts. The others are Local Service, Network Service.
One of the disadvantages of running services with Local System rights is that it can bring an entire system down. Especially a service running as Local System on a Domain Controller (DC) has unrestricted access to Active Directory Domain Services. This means that bugs in the service, or security attacks on the service, can damage the system.
Service Logon Accounts
Simply put, a Service Logon Account is an account that determines the security context it runs in. This is simply an alternative to using the built-in Local System Account which has access to the entire system resources.
Therefore, manually create a service account with limited access needed to run the service (i.e, the permissions it needs to access its resources).
Here are the advantages and disadvantages of using a service Logon Account:
– Advantage: You have total control over the account’s privileges rights), which you do not have control over when you use one of the built-in accounts.
– Disadvantage: This depends on your Domain or Local Group Policy, You will have to manually enter the passwords when they are changed or else these services will not run.
Note: These Service Logon Passwords cannot automatically be changed. But for the Local built-in Services, these automatic password changes is available.
I hope you found this blog post on the merits and demerits of Local System Account and Service Logon Account helpful. If you have any questions, please let me know in the comment session