Meisina04: ページの作成:「= SYSTEMアカウント = The `SYSTEM` account uses the `S-1-5-18` security ID (SID). Because the SID does not contain the domain SID, the account…」

2019-02-28T06:30:36Z

ページの作成:「= SYSTEMアカウント = The <code>SYSTEM</code> account uses the <code>S-1-5-18</code> security ID (SID). Because the SID does not contain the domain SID, the account…」

新規ページ

= SYSTEMアカウント =

The <code>SYSTEM</code> account uses the <code>S-1-5-18</code> security ID (SID). Because the SID does not contain the domain SID, the account only exists locally in a Windows and Samba installation. The <code>SYSTEM</code> account is also named <code>LocalSystem</code> or <code>NT AUTHORITY\SYSTEM</code>.

In Windows, <code>SYSTEM</code> is used, for example, by local services on the Windows host to access files on the local file system. Because the <code>SYSTEM</code> account exists in every Windows installation, has no password set, and in most cases has <code>Full Control</code> permissions on local NTFS file systems, it would be a security issue, if this account could be used to authenticate to network resources and access files. If local services that use the <code>SYSTEM</code> account access network resources, the local machine's network account (<code>''domain''\''computername$''</code>) is used to authenticate to the network.

== How the <code>SYSTEM</code> Account Is Used by a Windows Service ==

The following example describes how a Windows Active Directory (AD) domain member downloads and applies group policy objects (GPO):
# The local <code>Group Policy Client</code> service starts. The service is executed locally using the <code>SYSTEM</code> account.
# The service authenticates to the domain controller's <code>Sysvol</code> share using local machine's account within the domain. For example, <code>''domain''\''computername$''</code>.
# If authentication was successful, the services downloads the <code>Computer Configuration</code> part of the GPOs.
# On the domain member, the service updates the registry and file system using the <code>SYSTEM</code> account.

{{Imbox
| type = note
| text = The <code>SYSTEM</code> account is never sent to a remote host to authenticate and for this reason never used to access a remote file system.
}}

= Using the <code>SYSTEM</code> Account in File System ACLs on a Samba Server =

On Windows operating systems using the defaults, the <code>SYSTEM</code> account has <code>Full Control</code> permissions granted on the local NTFS system drive. Additionally, documentation often advices to add the account to the file system access control lists (ACL) to enable local services, that are using this account, to access files.

To be consistent with Windows, the internal <code>SYSTEM</code> account also exists in Samba and you can use it when [[Setting_up_a_Share_Using_Windows_ACLs#Setting_ACLs_on_a_Folder|setting file system permissions using Windows ACLs]]. However, on a Unix host that runs Samba, the <code>SYSTEM</code> account is neither used by Samba, nor available to the operating system. Therefore, you cannot run local services on the Samba host using the <code>SYSTEM</code> account.

From the perspective of a Samba server you can omit the <code>SYSTEM</code> account in file system ACLs. However, certain Windows services validate ACLs on shares and expect defined ACLs, even if they are not explicitely used. If <code>SYSTEM</code> is not listed in the remote server's ACLs, using the share can fail, even if the user is allowed to access the required content. For example, this applies to:

* the <code>Sysvol</code> share
* user roaming profile shares

{{Imbox
| type = important
| text = For compatibility with Windows, add the <code>SYSTEM</code> account to file system ACLs.
}}

= Further Resources =

For further details about the <code>SYSTEM</code> account and how it is used in Windows, see the following Microsoft documentation:
* [https://support.microsoft.com/en-us/help/120929/how-the-system-account-is-used-in-windows How the System account is used in Windows]
* [https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx LocalSystem Account]
* [https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems Well-known security identifiers in Windows operating systems]

SYSTEMアカウント - 版の履歴

Meisina04: ページの作成:「= SYSTEMアカウント = The SYSTEM account uses the S-1-5-18 security ID (SID). Because the SID does not contain the domain SID, the account…」

Meisina04: ページの作成:「= SYSTEMアカウント = The `SYSTEM` account uses the `S-1-5-18` security ID (SID). Because the SID does not contain the domain SID, the account…」