What rights on a machine does an account have when logging on as a service?

  • Thread starter Thread starter Spin
  • Start date Start date
S

Spin

Gurus,

System services usually run under the Local System account or Network
Security account. When you make an account run as a domain user account,
i.e a Domain Admin account, what additional rights does it give that box on
the local machine? I know it gives it the right to logon as a service.
Anything else?

--
Spin
 
Im not sure if I really understand what you want to know.

But, all Domain Admins accounts are Local Admins for every computer joined
to the domain.

--
augusto alvarez | it pro | southworks
http://staff.southworks.net/aalvarez


"Spin" <Spin@invalid.com> wrote in message
news:6438a9F29s3kmU1@mid.individual.net...
> Gurus,
>
> System services usually run under the Local System account or Network
> Security account. When you make an account run as a domain user account,
> i.e a Domain Admin account, what additional rights does it give that box
> on the local machine? I know it gives it the right to logon as a service.
> Anything else?
>
> --
> Spin
 
"Augusto Alvarez" <augusto.alvarez82@gmail.com> wrote in message
news:OVpHeC4hIHA.6084@TK2MSFTNGP06.phx.gbl...
> Im not sure if I really understand what you want to know.
>
> But, all Domain Admins accounts are Local Admins for every computer joined
> to the domain.

That isn't what I asked. Thx for taking a stab though.
 
Spin wrote:
> "Augusto Alvarez" <augusto.alvarez82@gmail.com> wrote in message
> news:OVpHeC4hIHA.6084@TK2MSFTNGP06.phx.gbl...
>> Im not sure if I really understand what you want to know.
>>
>> But, all Domain Admins accounts are Local Admins for every computer
>> joined to the domain.
>
> That isn't what I asked. Thx for taking a stab though.

Open the localmachine sercurity policy, expand the computer configuration,
security settings, local policies, user rights assignments....

then look for the rights and accounts of interest.


--
/kj
 
RE: What rights on a machine does an account have when logging on as a

It depends.

Domain Admins group is added to the Local Administrators group on the
machine. Therefore it has access to everything as does a Local Admin.

Domain Users are added to the local Users group on the machine so therefore
it has the same access as a local user. I restrict my local users even
further than MS does by default by setting NTFS permissions.

Cheers,
Lara

"Spin" wrote:

> Gurus,
>
> System services usually run under the Local System account or Network
> Security account. When you make an account run as a domain user account,
> i.e a Domain Admin account, what additional rights does it give that box on
> the local machine? I know it gives it the right to logon as a service.
> Anything else?
>
> --
> Spin
>
>
 
It shouldn't give you any additional rights. A user account (Domain or
local) needs to be assigned the right to log on as a service to run but you
have to assign that right it never has any additional rights provided to it
because it runs as a service.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Spin" <Spin@invalid.com> wrote in message
news:6438a9F29s3kmU1@mid.individual.net...
> Gurus,
>
> System services usually run under the Local System account or Network
> Security account. When you make an account run as a domain user account,
> i.e a Domain Admin account, what additional rights does it give that box
> on the local machine? I know it gives it the right to logon as a service.
> Anything else?
>
> --
> Spin
 
Back
Top