TFS Service accounts one of the very important topic when working with TFS installation and configuration, because each service needs to run with account that might has different permissions, it preferred to use different service accounts, but you can still use the same domain or workgroup account for all services or you might use the system account like Network Service, an example of reason for using Network Service that you don’t need to worry about service interruption because changing the password policy.
But as best practices and for better security reasons, we should use service accounts but to understand service accounts let’s start from the beginning.
What are service accounts and why we need them?
To understand the answer, let’s think about why we need user accounts in the first place?
We need user accounts so multiple users can log-in into the system and has different privileges over the existing resources and applications, and also for network resources, see the following image.
What if I want to run an application or in another word a background process (Service) without needing to any user to log-in and without using any user account for our users with his/her password? , See the following image.
So we need to create user accounts for our services (services accounts). Is that mean I have to create them?
No, there are some built-in user accounts without password and you can use them directly and each built-in account has different properties and different purpose, see the following image.
The built-in Local System user account has no password, has a high level of access privileges; it is part of the Administrators group and it presents the computer’s credentials to remote servers.
The built-in Network Service user account has fewer access privileges on the system than the Local System user account; it is part of the Users group but the Network Service user account is still able to interact throughout the network with the credentials of the computer account.
The built-in Local Service user account has fewer access privileges on the local computer; it is part of the Users group and it Use the Local Service user account if the worker process does not require access outside the server on which it is running.
So how can I configure the desired service to use Local System or Network Service accounts?
So how can I grant permission for resources over the network for Network Service or Local System?
So at the end, we have different 3 built-in account 2 of them can access network and they are the same for network resources (Network Service – Local System) and 2 of them can access the local resources with least privileges (Local Service – Network Service), see the following image.