Directory Services

About Service Logon Accounts

When a Win32-based service starts, it logs on to the local computer. It can log on as:

The logon account determines the security identity of the service at run time, that is, the service's primary security context. The security context determines the service's ability to access local and network resources. For example, a service running in the security context of a local user account cannot access network resources. Conversely, a service running in the security context of the LocalSystem account on a Microsoft® Windows® 2000 domain controller, would have unrestricted access to the Microsoft Active Directory® directory service. For more information, and a discussion of the benefits and limitations between user accounts and LocalSystem, see Security Contexts and Active Directory.

Ultimately, administrators on the system where the service is installed have control over the service's logon account. For security reasons, some administrators may not allow you to install your service under the LocalSystem account. Your service must be able to run under a domain user account. As a programmer, you can exercise some control over your service's logon account. Your service installer specifies the service's logon account when it calls the CreateService function to install the service on a host computer. Your installer can suggest a default logon account, but it should allow an administrator to specify the actual account.

Your installer can also perform the following tasks relating to your service's logon account:

After a service is installed, there are maintenance tasks that relate to your service logon account. For more information, see Logon Account Maintenance Tasks.