none
Is NT Authority\System (Local System) a part of Authenticated Users ??

Answers

All replies

  • Your question is not clear to me but what i have understood it is you are asking service configured to run using local system account will it be able to access AD/GP objects the answer is no, because while accessing the AD resources it has to authenticate against it and w/o authentication it won't be able to get the accessibility to the domain resources.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, March 02, 2012 8:51 AM
    Moderator
  • Hi Awinish,

    I have a service running under local system account. In that service I am trying to fetch all the GPOs applicable to a user. I am using GetGPOList() API for that.

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa373520(v=vs.85).aspx

    I am not passing any token, so according to the api it should use the security access of the caller that is Local System.

    Now this API is returning all the GPOs that are intended for Authenticated Users. This arises my question if NT Authority\System (Local System) is included in Authenticated Users group.

    I read somewhere that :

    Authenticated Users isn't a true group—it's a special security principal that specifies any session that's been authenticated using some account, such as a local SAM account, domain account, or account from any trusted domain.


    Paras

    Friday, March 02, 2012 9:10 AM
  • Hi,

    The Local System account is a powerful account that has full access to the computer. The actual name of the account is NT AUTHORITY\System. The Local System account does not have any rights to access the network. When network access is necessary, Local System uses the account Domain\computername$.

    With the release of Windows Server 2003, two new built-in account types similar to Local System were added: the Network Service account and the Local Service account.

    Read the below articles for more information:
    http://networkadminkb.com/KB/a41/differences-between-authenticated-users-domain-users.aspx

    http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx

    http://technet.microsoft.com/en-us/library/bb680595.aspx


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, March 02, 2012 9:12 AM
  • Thanks Abhijit. The links were really helpful.

    Regards,

    Paras


    Paras

    Friday, March 02, 2012 12:49 PM
  • You are welcome Paras.

    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, March 02, 2012 12:52 PM