SOLVED: Everything You Need To Know About the Local System Account In Windows

Published by Ian Matthews on

In this short article we are going to provide half a dozen answers to common Local System account questions.

What is The Local System Account In Windows?

The Local System account is a user account created when the operating system is installed and is used primarily to run Windows Services that relate to the operation and maintenance of the local computer.

If you look at the screenshot in the next section, you will see the “Local System” is running most of your services by default.

What Can Local System Account Do?

Put simply, the LocalSystem account has unrestricted access to everything on the local computer. It has even more rights on the local host than a full Domain or Local Admin.

It’s username and GUID are stored on the machine in which it exists, and not in Active Directory.

How To Reset the Local System Account Password

localsystem account in Windows services

The Local System account does NOT have a password so you cannot reset the Local System account’s password. That is why Windows Services does not even give you an option to enter a password when you select the LOCAL SYSTEM account (see screenshot to the right).

Further, LocalSystem does not have its own user profile so it uses C:\USERS\DEFAULT if required.

What Is INTERACT WITH DESKTOP & Why Doesn’t It Work Anymore?

They “interact with desktop” checkbox on the Local System account option in Windows Services no longer does anything.

Up to Windows Server 2003 and Windows XP, the Interact With Desktop checkbox allowed the program / service to pop up dialog boxes and show the program’s GUI. However that was shown to be a serious security risk and by Windows Server 2008 and Windows Vista that check box was being maintained only for legacy reasons. Windows Server 2012 and 2016 had a workaround involving a registry hack but Windows Server 2019 and Windows Server 2022 have it completely blocked. It does nothing today.

Can The Local System Account Read Active Directory?

In a word, yes… but quite limited on member computers and servers.

All Active Directory accounts (user and computer) have read permission to Active Directory however the Local System account is not an Active Directory account; it is a local account. It has the same rights and access as the computer which is why it gets confusing. Put more technically, LocalSystem its token includes the BUILTIN\ADMINISTRATORS and NT AUTHORITY\SYSTEM GUID’s.

This means that if you run a service on a Domain member PC or server, the service has only the network access that was granted to the host computer account (or to any groups of which the computer account is a member).

If that service needs to connect to a different computer on your network, it will present itself as the host computer name. So

The Local System Account on Domain Controllers

On a Domain Controller the Local System account has FULL permission to the Active Directory which is why most companies have policies against using LocalSystem account to run services on DC’s:

If your service must run as LocalSystem, the documentation for your service should justify to domain administrators the reasons for granting the service the right to run at elevated privileges. Services should never run as LocalSystem on a domain controller.

learn.microsoft.com/en-us/windows/win32/ad/the-localsystem-account

The Difference Between the Local System & Local Service Accounts

The big differences between the LocalSystem and LocalService accounts are that:

  1. the LocalService account has MINIMAL access to the local computer.
  2. the LocalService account can only see and talk to things on the network that allow anonymous access.
  3. the LocalService account DOES have a user profile in C:\Users

List of Local System Account Privileges

As you can see the LocalSystem account is quite powerful and can do an awful lot to the local machine which is why it is generally not the best account to use to run services:

SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
SE_AUDIT_NAME (enabled)
SE_BACKUP_NAME (disabled)
SE_CHANGE_NOTIFY_NAME (enabled)
SE_CREATE_GLOBAL_NAME (enabled)
SE_CREATE_PAGEFILE_NAME (enabled)
SE_CREATE_PERMANENT_NAME (enabled)
SE_CREATE_TOKEN_NAME (disabled)
SE_DEBUG_NAME (enabled)
SE_IMPERSONATE_NAME (enabled)
SE_INC_BASE_PRIORITY_NAME (enabled)
SE_INCREASE_QUOTA_NAME (disabled)
SE_LOAD_DRIVER_NAME (disabled)
SE_LOCK_MEMORY_NAME (enabled)
SE_MANAGE_VOLUME_NAME (disabled)
SE_PROF_SINGLE_PROCESS_NAME (enabled)
SE_RESTORE_NAME (disabled)
SE_SECURITY_NAME (disabled)
SE_SHUTDOWN_NAME (disabled)
SE_SYSTEM_ENVIRONMENT_NAME (disabled)
SE_SYSTEMTIME_NAME (disabled)
SE_TAKE_OWNERSHIP_NAME (disabled)
SE_TCB_NAME (enabled)
SE_UNDOCK_NAME (disabled)

Categories: Windows 11 & Windows 10Windows Server

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

New Certificate Not Appearing In IIS Bindings SSL Certificate

SOLVED: New Certificate Not Appearing In IIS Bindings

After you install a new certificate on your windows server you will likely want to go into IIS and configure the bindings to have HTTPS on port 443 use that new certificate: But what if Read more…

Step By Step - How to Remove Public IP Addresses From Azure

SOLVED: VIDEO: How To Remove Public IP Address & Save Money In Azure

In this short Azure tutorial we demonstrate how to remove static addresses from Azure virtual machines. In particular, we show how to remove static public IP addresses. 0:00 Introduction0:24 Why Remove Public IP Addresses0:44 How Read more…

windows powershell at work - man in front of screens

SOLVED: Discover Your PowerShell Version, Learn How to Upgrade PowerShell, & Explore the Latest Features in PowerShell

Windows PowerShell gets better all the time and Microsoft offers a major new release about every three years. Here are all of the things you need to know about the version of PowerShell. Command To Read more…