The Local System account is a powerful account that has full access to the computer. In Microsoft System Center Configuration Manager 2007 it is used to start services and provide security context for those services, and to perform many Configuration Manager 2007 operations on the site server, site systems, and client computers.

The actual name of the account is NT AUTHORITY\System.

The Local System account does not have any rights to access the network. When network access is necessary, Local System uses the account Domain\computername$.

With the release of Windows Server 2003, two new built-in account types similar to Local System were added: the Network Service account and the Local Service account. For more information about how Configuration Manager 2007 uses these accounts, see About the Local Service Account in Configuration Manager and About the Network Service Account in Configuration Manager. For more information about these accounts, see http://go.microsoft.com/fwlink/?LinkId=93067.

Local System Functions

Local System inherently has all required rights and permissions on the local computer. Removing any of those rights or permissions can cause Configuration Manager 2007 or the operating system to stop functioning.

The following Configuration Manager 2007 services, if used, are configured to log on as LocalSystem:

  • CCMSetup.exe

  • SMS Agent Host

  • SMS Task Sequence Agent

  • SMS_EXECUTIVE

  • SMS_REPORTING_POINT

  • SMS_SERVER_LOCATOR_POINT

  • SMS_SITE_BACKUP

  • SMS_SITE_VSS_WRITER

  • SMS_SITE_COMPONENT_MANAGER

  • SMS_SERVER_BOOTSTRAP_<servername>

Important
If you change the default service settings, you might prevent key services from running correctly. Changing the Startup type and Log on as settings for Configuration Manager 2007 services is not supported.

In addition to providing the security context for Configuration Manager 2007 services, the Local System account performs the following functions:

  • Creates files, directories, and services on the site systems.

  • Provides the security account for the application pools required by site systems that use IIS

Site Server Computer (computername$) Functions

Function Required rights and permissions Notes

Accesses Active Directory Domain Services containers during any type of Active Directory discovery

Read access to the containers that you specify for discovery. When computer account is used in domains other than the domains in which the site server is located, the account must have user rights on those domains.

The account must be a member of at least the Domain Users group or local Users group on the domains.

 

Access the DHCP server for DHCP Network Discovery

Must be a member of DHCP users on the DHCP server.

 

Creates and populates the System Management container in Active Directory.

If you extend the schema, enable publishing, and grant the computername$ account Full Control on the System container and all child objects, it can automatically create the System Management container underneath.

To follow the principle of least privilege, manually create the System Management container under the System container, instead of letting Configuration Manager create it. Then grant the site server computer account full rights to the System Management container and all child objects.

Accesses source files when creating packages for software distribution.

Read and List Folder Contents permissions on all source files and directories

Communicates with parent and child sites.

Read, Write, Execute, and Delete permissions on the SMS\Inboxes\Despoolr.box\Receive folder on the destination site server

Add the Site Address Account to the Site to Site Connection group on the destination site server, which has the appropriate permissions on the SMS_Site shared folder.

You can create and use a Site Address account, but then you will have to maintain the account and password.

Installs secondary sites when site creation is initiated from the Configuration Manager console.

Local administrator rights on the secondary site server

If you run Setup on the secondary site server, this account does not need local administrator rights on the secondary site server.

Installs remote site systems

Local administrator rights on the remote site system

If you are configuring site systems in remote untrusted forests, you must use the Site System Installation account instead. For more information, see Site System Installation Account.

Retrieves data from site systems, if configured

Local administrator rights on the remote site system

If you check Allow only site server initiated data transfers from this site system on the site system General tab, Configuration Manager pulls the data from the site system instead of waiting for the site system to push the data. If a Site System Installation account is configured, Configuration Manager uses that account instead.

Creates and configures the site database

Membership in Sysadmins on the SQL Server, if the site database is on a remote computer.

You must create a SQL Server login for the site server computer account and add it to the Sysadmins role.

Site System Computer (computer$) Functions

Function Required rights and permissions Notes

Provides access to the site database for the following site roles:

  • Management points (including device management point)

  • Reporting points

  • Server locator points

  • PXE service points

  • State migration points

The site system computer account is automatically added to the corresponding database role. The database role has all required rights and permissions.

The management point, PXE service point, and server locator point can be configured to use a Database Connection account instead of Local System. For more information, see About the Management Point Database Connection Account, About the Server Locator Point Database Connection Account, or About the PXE Service Point Database Connection Account.

The following site roles use the site system computer$ account to push data back to the site server:

  • Management points

  • Device management points

  • PXE service points

  • State migration points

  • System Health Validator points

  • Software update points

  • Fallback status point

Membership in the Site System to Site Server Connection group

If you are configuring site systems in remote untrusted forests, you cannot add the site system computer$ account to the Site System to Site Server Connection group, so you must check Allow only site server initiated data transfers from this site system on the site system General tab.

Creation and Password

The account is created automatically and the password is managed by the operating system.

Account Location

Local System is a local account. If the computer is a domain member, the computer$ account is created in the domain that the computer belongs to.

Account Maintenance

The operating system maintains its own accounts and passwords. Occasionally, however, the computer$ account password can become unsynchronized with the domain controller and the secure communication channel must be reset between the member computer and the domain controller. For more information about resetting computer accounts, see the Microsoft Knowledge Base http://go.microsoft.com/fwlink/?LinkId=93062.

Security Best Practices

Configuration Manager 2007 does not require that any computer accounts be added to the Domain Admins group. When a computer account requires administrative rights, for example on a remote site server, add the account to the appropriate local group.

Do not remove rights and permissions from Local System. Changing the default rights and permissions could prevent the operating system and applications from functioning.

Minimize the use of the Local System account on the site servers and site systems by not installing other services that use the Local System account. This ensures that other processes cannot take advantage of the enhanced privileges of the system’s computer account, accessing Configuration Manager 2007 files and data through those other systems.

Configure SQL Server to run under a domain user account instead of Local System.

See Also