Re: ADAM - Domain Service Account V.S. Network Service

The advantage of using NetworkService is that all permissions are good by
default (on local machine and in AD).
The disadvantage is that you are sharing the service acct with many other
services on the box that are running as NS. If one of them is hacked, then
all of them are pretty much affected.

--
Dmitri Gavrilov
SDE, DS Admin eXperience

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%233qoQiZLGHA.344@xxxxxxxxxxxxxxxxxxxxxxx
The only reason I can think of to use a different service account than
NETWORK SERVICE on a domain-joined box would be that there is an important
need to delegate permissions to the service account differently or you
need to set up SPNs in a specific way. For example, if you need multiple
instances of an ADAM instance using the same DNS name behind NLB and you
want them to all use the same SPN, you would want to use a specific
service account so it can get the SPN for the DNS name. I'm reaching
here.

Maybe Dmitri or Eric has some ideas here.

Joe K.

"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:%23hgeRtXLGHA.3260@xxxxxxxxxxxxxxxxxxxxxxx
Hi

the only case I know of that "demands" a domain account is if you
are installing ADAM on a domain controller. I cannot think of
any other domain/forest scenarios where Network Service does not
cut it, that does not mean there are none :), maybe others will chip in
here...

On adding the cert it's just a case of adding of loading the Certificates
MMC for the ADAM instance and then setting the permission for
Network Service in the keys folder. One wrinkle that I am aware of
is if running on Windows XP you cannot add permissions for the Network
Service account to the keyfile through the file system security GUI, my
notes say use:

cacls keyfilename /E /G "NT AUTHORITY\NetworkService":R


Lee Flight






.

Relevant Pages

  • Re: 2 pc network - cant see host files from pc 2 on pc 1
    ... Assuming that you have firewall protection via your internet router try ... workgroup because it will be needed for the network to work correctly. ... see if you can access TCP ports 139 and 445 on computer one of which at ... permissions. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How do you assign permissions to local network users on other m/cs?
    ... Setting up a network via a router, between laptop and pc, I found that ... Experimenting with the permissions via the security tab on the pc's ... Permissions that you assign to a local account on the PC ... Windows XP Professional File Sharing ...
    (microsoft.public.windowsxp.network_web)
  • Re: MS word files wont open after move
    ... This message can appear if a file is saved with permissions. ... almost any resource available from a network (printers, shares, files, ... this message appears if you are using a network ... administrator has purposely turned off your account. ...
    (microsoft.public.word.docmanagement)
  • Re: User able to create folders on network drive he had no permission
    ... setup for him on the network was able to create files and folders on ... a network drive he should only have had read access to. ... The PC was setup using a domain admin account (I know, ... difference with the *user* permissions on the network. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Copy to Mapped Networked Drive Error
    ... everybody as a user group from share permissions and assign explicit ... This unit has a dynamic ip address WAN wireless connection to the ... I'm not sure if this workstation is or is not part of a home network; ... workstation tries to force an election the whole network will be unhappy. ...
    (microsoft.public.windowsxp.network_web)