Local System vs.Network Service vs. Local Service and TFS Service Accounts

TFS Service accounts one of the very important topic when working with TFS installation and configuration, because each service needs to run with account that might has different permissions, it preferred to use different service accounts, but you can still use the same domain or workgroup account for all services or you might use the system account like Network Service, an example of reason for using Network Service that you don’t need to worry about service interruption because changing the password policy.

But as best practices and for better security reasons, we should use service accounts but to understand service accounts let’s start from the beginning.

What are service accounts and why we need them?

To understand the answer, let’s think about why we need user accounts in the first place?

We need user accounts so multiple users can log-in into the system and has different privileges over the existing resources and applications, and also for network resources, see the following image.Local System vs.Network Service vs. Local Service 2
What if I want to run an application or in another word a background process (Service) without needing to any user to log-in and without using any user account for our users with his/her password? , See the following image.Local System vs.Network Service vs. Local Service 3

So we need to create user accounts for our services (services accounts). Is that mean I have to create them?

No, there are some built-in user accounts without password and you can use them directly and each built-in account has different properties and different purpose, see the following image.Local System vs.Network Service vs. Local Service 5
Local System:

The built-in Local System user account has no password, has a high level of access privileges; it is part of the Administrators group and it presents the computer’s credentials to remote servers.

Network Service:

The built-in Network Service user account has fewer access privileges on the system than the Local System user account; it is part of the Users group but the Network Service user account is still able to interact throughout the network with the credentials of the computer account.

Local Service:

The built-in Local Service user account has fewer access privileges on the local computer; it is part of the Users group and it Use the Local Service user account if the worker process does not require access outside the server on which it is running.

So how can I configure the desired service to use Local System or Network Service accounts?

Double click on the service and in the Log-On tab choose Local System or just type browse and type Network Service, see the following images.
Assign Local System account to service
Assign Network Service to service

So how can I grant permission for resources over the network for Network Service or Local System?

In the other PC (PC-2), just grant permission to the first PC (PC-1) using PC name + “$” (PC-1$), see the following image.Local System vs.Network Service vs. Local Service 4

So at the end, we have different 3 built-in account 2 of them can access network and they are the same for network resources (Network ServiceLocal System) and 2 of them can access the local resources with least privileges (Local ServiceNetwork Service), see the following image.
Local System vs.Network Service vs. Local Service 6

Share This: