The SYSTEM Account

From SambaWiki
Revision as of 16:15, 26 February 2017 by Mmuehlfeld (talk | contribs) (New page about the SYSTEM account, explaining what it is in Windows, how it works, and why it is not necessary in file system ACLs on Samba shares.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The SYSTEM Account

The SYSTEM account always uses the S-1-5-18 security ID (SID). Because the SID does not contain the domain SID, the account only exists locally in a Windows and Samba installation. The SYSTEM account is often also named LocalSystem or NT AUTHORITY\SYSTEM.

In Windows, SYSTEM is used, for example, by local services on the Windows host to access files on the local file system. Because the SYSTEM account exists in every Windows installation, has no password set, and in most cases has Full Control permissions on local NTFS file systems, it would be a security issue, if this account could be used to authenticate to network resources and access files. If local services that use the SYSTEM account access network resources, the local machine's network account (domain\computername$) is used to authenticate to the network.


How the SYSTEM Account Is Used by a Windows Service

The following example describes how a Windows Active Directory (AD) domain member downloads and applies group policy objects (GPO):

  1. The local Group Policy Client service starts. The service is executed locally using the SYSTEM account.
  2. The service authenticates to the domain controller's Sysvol share using local machine's account within the domain. For example, domain\computername$.
  3. If authentication was successful, the services downloads the Computer Configuration part of the GPOs.
  4. On the domain member, the service updates the registry and file system using the SYSTEM account.



Using the SYSTEM Account in File System ACLs

On Windows operating systems using the defaults, the SYSTEM account has Full Control permissions granted on the local NTFS system drive. Additionally, documentation often advices to add the account to the file system access control lists (ACL) to enable local services, that are using this account, to access files.

To be consistent with Windows, the internal SYSTEM account also exists in Samba and you can use it when setting file system permissions using Windows ACLs. However, on a Unix host that runs Samba, the SYSTEM account is neither used by Samba, nor available to the operating system. Therefore, you cannot run local services on the Samba host using the SYSTEM account.

For this reasons, you can omit the SYSTEM account in file system ACLs on Samba shares.



Further Resources

For further details about the SYSTEM account and how it is used in Windows, see the following Microsoft documentation:

Retrieved from "https://wiki.samba.org/index.php?title=The_SYSTEM_Account&oldid=13133"