You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Secure computer accounts | Azure Active Directory
3
-
description: A guide to helping secure on-premises computer accounts.
2
+
title: Secure on-premises computer accounts with Active Directory
3
+
description: A guide to help secure on-premises computer accounts, or LocalSystem accounts, with Active Directory
4
4
services: active-directory
5
-
author: janicericketts
5
+
author: jricketts
6
6
manager: martinco
7
7
ms.service: active-directory
8
8
ms.workload: identity
9
9
ms.subservice: fundamentals
10
10
ms.topic: conceptual
11
-
ms.date: 08/20/2022
11
+
ms.date: 02/03/2023
12
12
ms.author: jricketts
13
13
ms.reviewer: ajburnle
14
14
ms.custom: "it-pro, seodec18"
15
15
ms.collection: M365-identity-device-management
16
16
---
17
17
18
-
# Secure on-premises computer accounts
18
+
# Secure on-premises computer accounts with Active Directory
19
19
20
-
A computer account, or LocalSystem account, is a built-in, highly privileged account with access to virtually all resources on the local computer. The account is not associated with any signed-on user account. Services run as LocalSystem access network resources by presenting the computer's credentials to remote servers in the format <domain_name>\\<computer_name>$. The computer account's predefined name is NT AUTHORITY\SYSTEM. You can use it to start a service and provide security context for that service.
20
+
A computer account, or LocalSystem account, is highly privileged with access to almost all resources on the local computer. The account isn't associated with signed-on user accounts. Services run as LocalSystem access network resources by presenting the computer credentials to remote servers in the format `<domain_name>\\<computer_name>$`. The computer account predefined name is `NT AUTHORITY\SYSTEM`. You can start a service and provide security context for that service.
21
21
22
-
22
+
23
23
24
24
## Benefits of using a computer account
25
25
26
-
A computer account provides the following benefits:
26
+
A computer account has the following benefits:
27
27
28
-
***Unrestricted local access**: The computer account provides complete access to the machine’s local resources.
28
+
***Unrestricted local access** - the computer account provides complete access to the machine's local resources
29
+
***Automatic password management** - removes the need for manually changed passwords. The account is a member of Active Directory, and its password is changed automatically. With a computer account, there's no need to register the service principal name.
30
+
***Limited access rights off-machine** - the default access-control list in Active Directory Domain Services (AD DS) permits minimal access to computer accounts. During access by an unauthorized user, the service has limited access to network resources.
29
31
30
-
***Automatic password management**: Removes the need for you to manually change passwords. The account is a member of Active Directory, and the account password is changed automatically. Using a computer account eliminates the need to register the service principal name for the service.
32
+
## Computer account security-posture assessment
31
33
32
-
***Limited access rights off-machine**: The default access-control list in Active Directory Domain Services (AD DS) permits minimal access to computer accounts. In the event of access by an unauthorized user, the service would have only limited access to resources on your network.
33
-
34
-
## Assess the security posture of computer accounts
35
-
36
-
Some potential challenges and associated mitigations when you use a computer account are listed in the following table:
34
+
Use the following table to review potential computer-account issues and mitigations.
37
35
38
-
|Issue| Mitigation |
36
+
|Computer-account issue| Mitigation |
39
37
| - | - |
40
-
| Computer accounts are subject to deletion and re-creation when the computer leaves and rejoins the domain. | Validate the need to add a computer to an Active Directory group, and verify which computer account has been added to a group by using the example scripts in the next section of this article.|
41
-
| If you add a computer account to a group, all services that run as LocalSystem on that computer are given the access rights of the group.| Be selective about the group memberships of your computer account. Avoid making a computer account a member of any domain administrator groups, because the associated service has complete access to AD DS. |
42
-
| Improper network defaults for LocalSystem. | Do not assume that the computer account has the default limited access to network resources. Instead, check group memberships for the account carefully. |
43
-
| Unknown services that run as LocalSystem. | Ensure that all services that run under the LocalSystem account are Microsoft services or trusted services from third parties. |
44
-
|||
38
+
| Computer accounts are subject to deletion and re-creation when the computer leaves and rejoins the domain. | Confirm the requirement to add a computer to an Active Directory group. To verify computer accounts added to a group, use the scripts in the following section.|
39
+
| If you add a computer account to a group, services that run as LocalSystem on that computer get group access rights.| Be selective about computer-account group memberships. Don't make a computer account a member of a domain administrator group. The associated service has complete access to AD DS. |
40
+
| Inaccurate network defaults for LocalSystem. | Don't assume the computer account has the default limited access to network resources. Instead, confirm group memberships for the account. |
41
+
| Unknown services that run as LocalSystem. | Ensure services that run under the LocalSystem account are Microsoft services, or trusted services. |
45
42
46
-
## Find services that run under the computer account
43
+
## Find services and computer accounts
47
44
48
-
To find services that run under the LocalSystem context, use the following PowerShell cmdlet:
45
+
To find services that run under the computer account, use the following PowerShell cmdlet:
@@ -63,21 +60,21 @@ To find computer accounts that are members of identity administrators groups (do
63
60
Get-ADGroupMember -Identity Administrators -Recursive | Where objectClass -eq "computer"
64
61
```
65
62
66
-
## Move from computer accounts
63
+
## Computer account recommendations
67
64
68
65
> [!IMPORTANT]
69
-
> Computer accounts are highly privileged accounts and should be used only when your service needs unrestricted access to local resources on the machine and you can't use a managed service account (MSA).
70
-
71
-
* Check with your service owner to see whether their service can be run by using an MSA, and use a group managed service account (gMSA) or a standalone managed service account (sMSA) if your service supports it.
66
+
> Computer accounts are highly privileged, therefore use them if your service requires unrestricted access to local resources, on the machine, and you can't use a managed service account (MSA).
72
67
73
-
* Use a domain user account with only the permissions that you need to run your service.
68
+
* Confirm the service owner's service runs with an MSA
69
+
* Use a group managed service account (gMSA), or a standalone managed service account (sMSA), if your service supports it
70
+
* Use a domain user account with the permissions needed to run the service
74
71
75
72
## Next steps
76
73
77
74
To learn more about securing service accounts, see the following articles:
78
75
79
-
*[Introduction to on-premises service accounts](service-accounts-on-premises.md)
76
+
*[Securing on-premises service accounts](service-accounts-on-premises.md)
80
77
*[Secure group managed service accounts](service-accounts-group-managed.md)
81
78
*[Secure standalone managed service accounts](service-accounts-standalone-managed.md)
0 commit comments