Can anyone point me to a doc, or perhaps explain, the benefits or otherwise
of running the database engine service under the Local System Account. We
have had occasional issues when running under the local system account (v6,
v7 , v8 on Win2K server) where calls from the database engine to external
applications run into problems when those applications in turn access other
resources (eg COM objects) that use network resources. The problem seems
only to occur when the database server itself is in a workgroup rather than
a windows domain.

If run under an administrator account everything works OK, so it seems that
in Win2K the local system account has access to some network resources if
part of a domain, but not if part of a workgroup. One possibility would seem
to be to create a user account for running the database service - what user
rights does such an account use? Are there disadvantages to running under an
account other than local system? Is there any disadvantage to running the
service under the administrator account?

Any help appreciated!

Justin Willey

It is my understanding that you can configure LOCAL SYSTEM and as such
affect what resources it can access. Perhaps the DOMAIN login gives LOCAL
SYSTEM different access rights than a WORKGROUP login. As I am not a Windows
admin, I cannot guess what would need to be changed and how to allow for
LOCAL SYSTEM to have increase visibality.

You can run the service and use a specific account for login purposes, in
your case Adminstrator. However, the key concern is that the service now has
increase security risks since it exposes more. If you find a situation where
LOCAL SYSTEM previledges are insufficient, create an account that exposes as
little of the environment as possible rather than a more wide open account.
I would particularly avoid using an account based on Adminstrator as it my
understanding that some hackers use of the Administrator account.


--

Chris Keating
Sybase Adaptive Server Anywhere Professional Version 8

************************************************** **************************
*
Sign up today for your copy of the SQL Anywhere Studio 9 Developer Edition
and try out the market-leading database for mobile, embedded and small to
medium sized business environments for free!

http://www.ianywhere.com/promos/deved/index.html

************************************************** **************************
*

iAnywhere Solutions http://www.iAnywhere.com

** Please only post to the newsgroup

** Whitepapers can be found at http://www.iAnywhere.com/developer
** EBFs can be found at http://downloads.sybase.com/swx/sdmain.stm
** Use CaseXpress to report bugs http://casexpress.sybase.com

************************************************** **************************
*

"Justin Willey" <gjw (AT) nospamatall (DOT) iqx.co.uk> wrote

In article <3fd75659@forums-1-dub>, gjw (AT) nospamatall (DOT) iqx.co.uk says...
LOCAL SYSTEM has no access to network resources. Because there is no user impersonated which can be used on other systems to tailor the access rights.

There is a way to circumvent this: Go and find the term NULL SESSION in some knowledge base. As far as I can remember, this is the way to achieve what you want. However, the trade-off is of course
less security.

As otherwise recommended already, create a new account with the appropriate acls and there you go with network resources ...


Martin