Exchange Services Run Under LocalSystem (239762)

SUMMARY

Exchange services are started under the LocalSystem security context rather than associating a specific user account (and password) to start these services. This way, no password changes or user account deletions will cause a problem or prevent Exchange from functioning properly. When an Exchange service that is running as "LocalSystem" accesses a remote server, Microsoft Windows 2000 authenticates it using the "credential" of the machine account of the server.

MORE INFORMATION

In both Microsoft Windows NT 4.0 and Windows 2000, there is an account called a machine account, which is a user account with a flag set to indicate that it is a machine account. Therefore, this account has all the attributes and functionality of a regular user account.

The machine account is used by the workstation to establish a secure channel to the domain controller (DC). As both the workstation and the DC know the password, the workstation can easily generate a session key, encrypt it with the password, send it to the DC, and then use the session key to secure all communications with the DC. User logons and change-password communications with the DC are done over this secure channel; because the channel is secure, passwords can be transmitted over it.

The password on the machine account is changed every seven days using the standard change-password mechanism. This makes the machine account much more secure than a typical user account where the password is not only changed less frequently, but is also likely to be less random than a randomly generated machine account password.

A new Global group has been created called "Exchange Domain Servers." Exchange 2000 Setup adds its machine account to this group when you install the server and removes it when you uninstall the server. The "Exchange Domain Servers" group is added as a member to all necessary groups and Access Control Lists to allow Exchange services to read from and write all necessary information to Active Directory.