none
"NT AUTHORITY" context of account group?

    Question

  • Subquestioning my question Network vs. Everyone (Special Identities of Windows Server

    PsGetSID  shows:

    • D:\>psgetsid network

      PsGetSid v1.44 - Translates SIDs to names and vice versa
      Copyright (C) 1999-2008 Mark Russinovich
      Sysinternals - www.sysinternals.com

      SID for NT AUTHORITY\network:
      S-1-5-2
    • D:\Documents and Settings\Administrator>psgetsid everyone
      PsGetSid v1.44 - Translates SIDs to names and vice versa
      Copyright (C) 1999-2008 Mark Russinovich
      Sysinternals - www.sysinternals.com
      SID for \everyone:
      S-1-1-0

    i.e. NETWORK group, in contrast to EVERYONE group , has context of "NT AUTHORITY"

    What information does it confer?
    When and what's for is "NT Authority\" context?

    Monday, September 20, 2010 8:34 AM

Answers

  • The LocalSystem Account is an account with a random Hex password that changes every 7 days. There is no way to change it.

    > Can you give a reference on it? 

    I provide a link for an example using Exchange service accounts. In addition, the following two will help.

    LocalSystem Account (Windows)The LocalSystem account is a predefined local account used by the service control manager.
    http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx


    I was confused by your citation:

    • 1)
      "LocalSystem Account is an account with a random Hex password that changes every 7 days. There is no way to change it" [2]

    Your last given reference to  artcicle [1] tells:

    • 2)
      The LocalSystem "account does not have a password. If you specify the LocalSystem account in a call to the CreateService function, any password information you provide is ignored"

     Hmm, I can understand the confusion. I got my quote from the original link that describes how the Services Architecture works at the following link. Scroll down in the link to the quote below the link. It uses Exchange as an example of a service that you can run using The LocalSystem account:

    [2]
    Understanding Windows Services Architecture
    http://technet.microsoft.com/en-us/library/aa998749(EXCHG.65).aspx

    "No extra services account or password changes required: The LocalSystem account (NT AUTHORITY\LocalSystem) always exists and has a random hexadecimal number as the password. This password changes automatically every seven days, so you do not need to create a services account in Active Directory before you install Exchange Server 2003 or change a services password at frequent intervals."

     

    ==============================
    Update:

    Well, I see this phrase in [2]

    •  "The LocalSystem account (NT AUTHORITY\LocalSystem) always exists and has a random hexadecimal number as the password. This password changes automatically every seven days, so you do not need to create a services account in Active Directory before you install Exchange Server 2003 or change a services password at frequent intervals"

    which, contradicts to an earlier phrase from the same [2]:

    • "The LocalSystem account is a predefined local account that has extensive privileges on the local computer. This account is only available to system processes and does not have a password"

    LocalSystem does or does not have password? 

    [1]
    LocalSystem Account
     http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx

    [2]
    Understanding Windows Services Architecture
    http://technet.microsoft.com/en-us/library/aa998749(EXCHG.65).aspx

    Very good question, which is at this time, confusing based on the contradictory info in the links.

    My best guess is that the LocalSystem account does have an autogenerated Hex password controlled by the LSA (Local Security Authority) that changes every 7 days and is not alterable nor can it be manually changed, and is a background Security process that handles it and can't be touched due to proprietary, not publicly disclosed, security DLLs/APIs.

    Therefore for all practical purposes, we can safely assume and view this account as not having a password, since we can't alter it anyway, whether manually or programmatically.


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, September 22, 2010 12:30 AM

All replies

  • > What information does it confer?
    > When and what's for is "NT Authority\" context?

    NT Authority is basically the Local System Account on a machine. Each machine has a Local System Account. It has administrative rights and permissions. The Local System Account can actually be used in lieu of a user account for such things as running a service.

    > i.e. NETWORK group, in contrast to EVERYONE group , has context of "NT AUTHORITY"

    NT Authority is automatically part of Everyone


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Monday, September 20, 2010 3:24 PM
  • Monday, September 20, 2010 5:24 PM
  • I moved to contemplate into


    Actually, NTAuthority is the System itself. When we reference the LocalSystem account, we normally reference it as NTAuthority\LocalSystem. You can also reference it as ComputerName\LocalSystem, however that's just illustrating what NTAuthority is, and not being a system programmer, I am not familiar how you would reference it programmatically other than using NTAuthority\LocalSystem.

    The LocalSystem Account is an account with a random Hex password that changes every 7 days. There is no way to change it. When a service runs under the LocalSystem account, it can access only local resources.

    If the service needs access to the Network, it must use another account. One account that it can use is the NT Authority\Network account. This account has no password.

    See the link below and scroll down or search within the article for "Exchange Services and the LocalSystem Account" to see how Exchange servers use the account as an example. THis may help understand the accounts and their relationship locally and acrosss the network.

    Understanding Windows Services Architecture -
    http://technet.microsoft.com/en-us/library/aa998749(EXCHG.65).aspx


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Monday, September 20, 2010 6:03 PM
  • The LocalSystem Account is an account with a random Hex password that changes every 7 days. There is no way to change it.

    Can you give a reference on it? 

    When a service runs under the LocalSystem account, it can access only local resources.

    If the service needs access to the Network, it must use another account. One account that it can use is the NT Authority\Network account. This account has no password.

    The answer to my question "LocalSystem vs. System" cites:

    • "...From a security perspective, the local system account is extremely powerful - more powerful than any domain or local account."
      -- Windows Internals, 5th Edition (page 288 - 289).

    I read numerous similar phrases in msdn articles...

    Monday, September 20, 2010 6:34 PM
  • The LocalSystem Account is an account with a random Hex password that changes every 7 days. There is no way to change it.

    > Can you give a reference on it? 

    I provide a link for an example using Exchange service accounts. In addition, the following two will help.

    LocalSystem Account (Windows)The LocalSystem account is a predefined local account used by the service control manager.
    http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx

    SimilarThe LocalSystem Account (Windows)One advantage of running under the LocalSystem account is that the service has complete unrestricted access to local resources.
    http://msdn.microsoft.com/en-us/library/ms677973(VS.85).aspx

    • "...From a security perspective, the local system account is extremely powerful - more powerful than any domain or local account."
      -- Windows Internals, 5th Edition (page 288 - 289).

    The links above provides additional information illustrating the power of the account.

    I read numerous similar phrases in msdn articles...


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Monday, September 20, 2010 7:22 PM
  • The LocalSystem Account is an account with a random Hex password that changes every 7 days. There is no way to change it.

    > Can you give a reference on it? 

    I provide a link for an example using Exchange service accounts. In addition, the following two will help.

    LocalSystem Account (Windows)The LocalSystem account is a predefined local account used by the service control manager.
    http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx


    I was confused by your citation:

    • 1)
      "LocalSystem Account is an account with a random Hex password that changes every 7 days. There is no way to change it" [2]

    Your last given reference to  artcicle [1] tells:

    • 2)
      The LocalSystem "account does not have a password. If you specify the LocalSystem account in a call to the CreateService function, any password information you provide is ignored"

    ==============================
    Update:

    Well, I see this phrase in [2]

    •  "The LocalSystem account (NT AUTHORITY\LocalSystem) always exists and has a random hexadecimal number as the password. This password changes automatically every seven days, so you do not need to create a services account in Active Directory before you install Exchange Server 2003 or change a services password at frequent intervals"

    which, contradicts to an earlier phrase from the same [2]:

    • "The LocalSystem account is a predefined local account that has extensive privileges on the local computer. This account is only available to system processes and does not have a password"

    LocalSystem does or does not have password? 

    [1]
    LocalSystem Account
     http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx

    [2]
    Understanding Windows Services Architecture
    http://technet.microsoft.com/en-us/library/aa998749(EXCHG.65).aspx

    Tuesday, September 21, 2010 12:52 PM
  • The LocalSystem Account is an account with a random Hex password that changes every 7 days. There is no way to change it.

    > Can you give a reference on it? 

    I provide a link for an example using Exchange service accounts. In addition, the following two will help.

    LocalSystem Account (Windows)The LocalSystem account is a predefined local account used by the service control manager.
    http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx


    I was confused by your citation:

    • 1)
      "LocalSystem Account is an account with a random Hex password that changes every 7 days. There is no way to change it" [2]

    Your last given reference to  artcicle [1] tells:

    • 2)
      The LocalSystem "account does not have a password. If you specify the LocalSystem account in a call to the CreateService function, any password information you provide is ignored"

     Hmm, I can understand the confusion. I got my quote from the original link that describes how the Services Architecture works at the following link. Scroll down in the link to the quote below the link. It uses Exchange as an example of a service that you can run using The LocalSystem account:

    [2]
    Understanding Windows Services Architecture
    http://technet.microsoft.com/en-us/library/aa998749(EXCHG.65).aspx

    "No extra services account or password changes required: The LocalSystem account (NT AUTHORITY\LocalSystem) always exists and has a random hexadecimal number as the password. This password changes automatically every seven days, so you do not need to create a services account in Active Directory before you install Exchange Server 2003 or change a services password at frequent intervals."

     

    ==============================
    Update:

    Well, I see this phrase in [2]

    •  "The LocalSystem account (NT AUTHORITY\LocalSystem) always exists and has a random hexadecimal number as the password. This password changes automatically every seven days, so you do not need to create a services account in Active Directory before you install Exchange Server 2003 or change a services password at frequent intervals"

    which, contradicts to an earlier phrase from the same [2]:

    • "The LocalSystem account is a predefined local account that has extensive privileges on the local computer. This account is only available to system processes and does not have a password"

    LocalSystem does or does not have password? 

    [1]
    LocalSystem Account
     http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx

    [2]
    Understanding Windows Services Architecture
    http://technet.microsoft.com/en-us/library/aa998749(EXCHG.65).aspx

    Very good question, which is at this time, confusing based on the contradictory info in the links.

    My best guess is that the LocalSystem account does have an autogenerated Hex password controlled by the LSA (Local Security Authority) that changes every 7 days and is not alterable nor can it be manually changed, and is a background Security process that handles it and can't be touched due to proprietary, not publicly disclosed, security DLLs/APIs.

    Therefore for all practical purposes, we can safely assume and view this account as not having a password, since we can't alter it anyway, whether manually or programmatically.


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, September 22, 2010 12:30 AM