Microsoft System Center Configuration Manager 2007 uses the Local Service account to run several application pools used by site systems that require Internet Information Services (IIS). The Local Service account is a special built-in account that has reduced privileges similar to an authenticated local user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes.

Required Rights and Permissions

Local Service requires the following rights and permissions on virtual directories in the Web site used by Configuration Manager 2007, either the default Web sit or a custom Web site.

Virtual Directory Permissions

CCM_Client

Read

CCM_Incoming

Local Service requires the following permissions on the virtual directory folder:

Traverse Folder/Execute File

List Folder/Read Data

Read Attributes

Read Extended Attributes

Create Files/Write Data

Create Folders/Append Data

Delete Subfolders and Files

Read Permissions

Local Service also requires full control on all subfolders and files of the virtual directory folder.

CCM_Outgoing

Read

CCM_System

List Folder Contents

CCM_System_WindowsAuth

List Folder Contents

SMS_MP

List Folder Contents

SMS_SLP

List Folder Contents

SMS_FSP

List Folder Contents

Account and Password Creation

The account is automatically created as NT AUTHORITY\LocalService, and it does not have a password that an administrator needs to manage.

Account Location

This account is automatically created as a local account on Microsoft Windows Server 2003 and Windows XP operating systems.

Account Maintenance

No maintenance is required for this system account.