Windows server 2003

Corinna Vinschen
Wed Apr 9 13:23:00 GMT 2003

On Wed, Apr 09, 2003 at 09:03:33AM -0400, Pierre A. Humblet wrote:
> Corinna,
> have you seen the thread
> <>
> It appears that Windows Server 2003 does not give the
> CreateToken privilege to the local system account.

Sounds weird.

> That's perhaps because security has been tightened on that box, see 
> <>
> <>
> and two new special accounts are present by default.

These two accounts aren't actually new.  XP already introduced them,
called "Local Service" (S-1-5-19) and "Network Service" (S-1-5-20).

However, the sense of all that was originally that these two accounts
are using lower privileges than the SYSTEM account has.  So the rule
is to start a service under the appropriate of these two accounts
instead of under SYSTEM if possible.

I didn't find a word about SYSTEM having less rights than before in the
above papers.  I don't see how that should work and somehow I can't see
a sense in that change.  I'll test that as soon as I get my hands on a
final 2003 Server version.

> Although I have been unable to find much, this issue will
> eventually need to be documented and to have a recommended
> solution. There must be a control panel or wizard somewhere.

There are "{Local/Domain/Domain Controller} Security Policy" MMC-Snapins
since W2K available.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                      
Red Hat, Inc.

More information about the Cygwin-developers mailing list