Microsoft System Center Configuration Manager 2007 uses the Network Service account to run the SMS_System_Health_Validator service on the Network Policy Server when it is configured as the Configuration Manager 2007 System Health Validator point. The Network Service account is a special built-in account that has reduced privileges similar to an authenticated user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes.

Configuration Manager 2007 also uses this security context to connect to Active Directory Domain Services resources in trusted domains, although the connection is made using the Domain\computer$ account. If the System Health Validator point needs to connect to Active Directory Domain Resources in domains with no trust relationships, you must configure the System Health Validator Publishing account or the System Health Validator Querying account.

Required Rights and Permissions

The Network Service account uses the computer's credentials when it authenticates remotely, but it has a greatly reduced privilege level on the server itself and, therefore, does not have local administrator privileges. Configuration Manager 2007 does not require the Network Service account to have any rights or permissions except the default permissions assigned by the operating system. Removing the default rights or permissions from the Network Service account might cause Configuration Manager 2007 to stop functioning properly.

This account requires Read access to the Configuration Manager 2007 Systems Management container in the Global Catalog server.

Account and Password Creation

The account is automatically created as NT AUTHORITY\NetworkService, and it does not have a password that an administrator needs to manage.

Account Location

This account is automatically created as a local account on Microsoft Windows Server 2003 and Windows XP operating systems.

Account Maintenance

No maintenance is required for this system account.