When services run under the LocalSystem account, they authenticate to network resources using the machine account (MACHINENAME$). This is fundamentally different from regular user accounts and requires special permission handling.
// Example PowerShell to verify computer account name
$computerName = $env:COMPUTERNAME
Write-Output "Network identity will be: $computerName$"
In Windows environments, you can grant access through either:
- File Share permissions (SMB)
- NTFS permissions
:: Command Line Example (replace YOURSHARE and MACHINENAME)
net share YOURSHARE /grant:"MACHINENAME$",FULL
Domain Environment
In Active Directory domains, add the computer account to security groups:
# PowerShell to add computer to AD group
Add-ADGroupMember -Identity "FileShare_Access" -Members "CN=WS01,CN=Computers,DC=domain,DC=com"
Workgroup Environment
For standalone machines, you must explicitly grant permissions to the computer account:
icacls C:\SharedFolder /grant "NT AUTHORITY\SYSTEM:(OI)(CI)F"
Creating a Test Share with Computer Access
mkdir C:\DevShare
net share DevShare=C:\DevShare /grant:"%COMPUTERNAME%$",FULL
icacls C:\DevShare /grant "NT AUTHORITY\SYSTEM:(OI)(CI)F" "Everyone:(OI)(CI)R"
Verifying Access Rights
# PowerShell test script
$testPath = "\\localhost\DevShare\test.txt"
"Test content" | Out-File $testPath -Force
if (Test-Path $testPath) {
"Access confirmed for LocalSystem"
} else {
"Access denied"
}
- Computer accounts can't be used for interactive logins
- Kerberos authentication requires SPN configuration in domains
- LocalSystem has full local system privileges
When access issues occur:
- Check effective permissions using
whoami /priv - Audit security logs (Event ID 5145 for file access)
- Test with explicit machine account permissions
When dealing with service accounts in Windows, the LocalSystem account (NT AUTHORITY\SYSTEM) presents unique challenges for network resource access. Unlike regular user accounts, LocalSystem operates under the computer's machine account context when accessing network resources.
// Example of service running as LocalSystem
sc.exe create MyService binPath= "C:\service.exe" obj= "LocalSystem"
Key facts about LocalSystem's network behavior:
- Presents machine credentials (COMPUTERNAME$)
- Inherits permissions granted to the computer account
- Cannot be directly added to security principals like users
In domain environments, you would grant access to the computer account:
# PowerShell example for granting share access
Grant-SmbShareAccess -Name "SharedFolder" -AccountName "DOMAIN\COMPUTERNAME$" -AccessRight Full
For workgroup scenarios, you have several options:
Option 1: Using Computer Account in Share Permissions
net share DataShare=C:\Shared /GRANT:"COMPUTERNAME$",FULL
Option 2: Creating a Dedicated Service Account
For more controlled access:
# Create a service account
net user svc_networkaccess "P@ssw0rd" /add /expires:never
sc.exe config MyService obj= ".\svc_networkaccess" password= "P@ssw0rd"
Option 3: Using Everyone Group (Not Recommended)
While simple, this creates security risks:
icacls C:\Shared /grant Everyone:(OI)(CI)F
For services needing network access, ensure these registry values are set:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\YourService]
"ObjectName"="LocalSystem"
"Type"=dword:00000010 // SERVICE_WIN32_OWN_PROCESS
Common diagnostic commands:
# Check effective permissions
whoami /all
accesschk.exe -uv COMPUTERNAME$
# Test network access
psexec -s cmd.exe
net use Z: \\server\share
- Always prefer computer accounts over Everyone
- Use specific service accounts for sensitive operations
- Regularly audit computer account permissions
- Consider using managed service accounts in domain environments