About the Network Service Account in Configuration Manager
Updated: April 1, 2011
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Microsoft System Center Configuration Manager 2007 uses the Network Service account to run the SMS_System_Health_Validator service on the Network Policy Server when it is configured as the Configuration Manager 2007 System Health Validator point. The Network Service account is a special built-in account that has reduced privileges similar to an authenticated user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes.
Configuration Manager 2007 also uses this security context to connect to Active Directory Domain Services resources in trusted domains, although the connection is made using the Domain\computer$ account. If the System Health Validator point needs to connect to Active Directory Domain Resources in domains with no trust relationships, you must configure the System Health Validator Publishing account or the System Health Validator Querying account.
Required Rights and Permissions
The Network Service account uses the computer's credentials when it authenticates remotely, but it has a greatly reduced privilege level on the server itself and, therefore, does not have local administrator privileges. Configuration Manager 2007 does not require the Network Service account to have any rights or permissions except the default permissions assigned by the operating system. Removing the default rights or permissions from the Network Service account might cause Configuration Manager 2007 to stop functioning properly.
This account requires Read access to the Configuration Manager 2007 Systems Management container in the Global Catalog server.
Account and Password Creation
The account is automatically created as NT AUTHORITY\NetworkService, and it does not have a password that an administrator needs to manage.
This account is automatically created as a local account on Microsoft Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 server operating systems, and on Windows XP, Windows Vista, and Windows 7 client operating systems.
No maintenance is required for this system account.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.