Log on as a service

  • Thread starter Thread starter jps
  • Start date Start date
J

jps

What is this policy in the Local Security Settings for? My
current setting has SYSTEM and NETWORK SERVICE in there,
but shouldn't the default be 'blank'? Is the current
setting safe?

Thanks,
JPS
 
jps said:
What is this policy in the Local Security Settings for? My
current setting has SYSTEM and NETWORK SERVICE in there,
but shouldn't the default be 'blank'? Is the current
setting safe?
Click to expand...

Without sounding redundant and in simple terms - it allows a service (a
process that runs continuously in the background) to use an account instead
of just being started by the operating system. This allows that account to
have the sufficient rights to start up a process as a service.

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
 
The setting also has something that begins with *S-1-...,
which I believe is my user ID in the network domain.

Is there a way I can verify this is my account, which is
an account in a domain, but not other's? Like to convert
it into a readable format, e.g. Domain\userid?

Assume this is my user ID (which I think it should be, or
else I won't be able to log on to the domain). If there is
someone who has access to obtain my password from the
domain, how can I prevent him from remotely accessing to
my computer?

Thanks again,
JPS
 
If you currently can resolve domain users and groups when
in an interface such as the one to add to the security grants
in NTFS, then the SID you are seeing in the local policy is
likely the remains of a delete account.
If when in such as the NTFS security dialog you cannot see
friendly names for domain users and groups, then you may be
correct, that it is for some account/group of the domain.

Your domain account does not need a grant to log in as a
service in order to log in.

If you have a domain and certain accounts are able to log in,
then just exactly as with local accounts, anyone knowing the
account and its password will be able to use the account.
 
How about the interface from the properties of one of
local security policies, e.g. Local Security Settings ->
Right click properties -> Add Users or Groups -> Select
Users or Groups -> Advanced? Is this the same type of
interface you were referring to?

Don't mean to ask the same question again. Just want to be
sure I'm clear on this ... I could see 'MyDomain\myuserid'
in the list of RDNs, but not the one in the aforementioned
security setting of 'Log on as a service' (i.e. the one
that begins with '*S-1-...'). Is there a way to resolve
this '*S-1-...' so that I can be sure that it is a deleted
account (or not)? Interestingly, this '*S-1-...' appear in
the security settings for the other local security
policies as well.

Based on what you said that my domain account does not
need a grant to log in as a service in order to log in, is
it ok and safe if I set 'Log on as a service' to 'Not
Defined', i.e. remove SYSTEM, NETWORK and this '*S-1-...'?

If I leave this setting as it is, is there a way if I can
found out or trace someone remotely log on to my PC as me?

Thanks much,
JPS
 
I just notice that this '*S-1-...' SID also appears in the
security setting of 'Act as part of the operating system'
policy.
 
jps said:
I just notice that this '*S-1-...' SID also appears in the
security setting of 'Act as part of the operating system'
policy.
Click to expand...

Give us the full SID.
There are a number of well known SIDs that we can identify
or look them up your self in knowledge base article 243330

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
 
Thanks. I saw that article, and found what that SID is in
the registry. It isn't one of the well-known SIDs.
 
System and Network Service and if present Local Service
and sometimes others depending on the machine and what
is installed need this grant.
S-1-5-. . . . when showing either means that a trusted
domain is not currently reachable to translate a SID from
it to a friendly name, or that some account or group has
been deleted.

Yes, the principal picker when accessed as you mentioned
would be equivalent to accessing it for NTFS permissions.
 
Back
Top