Why use LocalSystem Account as a Service Logon Account?
One advantage of running your services using the Local System account is that the service has complete unrestricted access to local resources. And it is by default one of the built-in local accounts. The others are Local Service, Network Service.
One of the disadvantages of running services with Local System rights is that it can bring an entire system down. Especially a service running as Local System on a Domain Controller (DC) has unrestricted access to Active Directory Domain Services. This means that bugs in the service, or security attacks on the service, can damage the system.
Service Logon Accounts:
Simply put, a Service Logon Account is an account that determines the security context it runs in. This is simply an alternative to using the built-in Local System Account which has access to the entire system resources.
Therefore, manually create a service account with limited access needed to run the service (i.e, the permissions it needs to access its resources).
Here are the advantages and disadvantages of using a service Logon Account:
– Advantage: You have total control over the account’s privileges rights), which you do not have control over when you use one of the built-in accounts.
– Disadvantage: This depends on your Domain or Local Group Policy, You will have to manually enter the passwords when they are changed or else these services will not run.
Note: These Service Logon Passwords cannot automatically be changed. But for the Local built-in Services, these automatic password changes is available.