Platform SDK: Active Directory, ADSI, and Directory Services

Guidelines for Selecting a Service Logon Account

A Win32®-based service can run in the security context of a local user account, a domain user account, or the LocalSystem account. How does an administrator decide which account to use? The guiding principal is that an administrator should install your service at the lowest "privilege level" that is sufficient to perform the service's operations. In a typical directory-enabled service, this means your service installation program should create a domain user account for the service and grant that account the specific access rights and privileges required by the service at run time. Your service should run under the LocalSystem account only if it needs administrative or act as part of the operating system privileges on the local computer.

Note that your service installation program should by default set up the service to run under a domain user account. If you need to run your service under the LocalSystem account, you must query the administrator for permission.

For descriptions, advantages, and disadvantages of each type of account, see the following topics: