由于标准服务帐户的功能有这么多的困惑，我将尝试快速运行。

首先是实际账目:

LocalService account (preferred) A limited service account that is very similar to Network Service and meant to run standard least-privileged services. However, unlike Network Service it accesses the network as an Anonymous user. Name: NT AUTHORITY\LocalService the account has no password (any password information you provide is ignored) HKCU represents the LocalService user account has minimal privileges on the local computer presents anonymous credentials on the network SID: S-1-5-19 has its own profile under the HKEY_USERS registry key (HKEY_USERS\S-1-5-19)   NetworkService account Limited service account that is meant to run standard privileged services. This account is far more limited than Local System (or even Administrator) but still has the right to access the network as the machine (see caveat above). NT AUTHORITY\NetworkService the account has no password (any password information you provide is ignored) HKCU represents the NetworkService user account has minimal privileges on the local computer presents the computer's credentials (e.g. MANGO$) to remote servers SID: S-1-5-20 has its own profile under the HKEY_USERS registry key (HKEY_USERS\S-1-5-20) If trying to schedule a task using it, enter NETWORK SERVICE into the Select User or Group dialog   LocalSystem account (dangerous, don't use!) Completely trusted account, more so than the administrator account. There is nothing on a single box that this account cannot do, and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something) Name: .\LocalSystem (can also use LocalSystem or ComputerName\LocalSystem) the account has no password (any password information you provide is ignored) SID: S-1-5-18 does not have any profile of its own (HKCU represents the default user) has extensive privileges on the local computer presents the computer's credentials (e.g. MANGO$) to remote servers  

上面谈到访问网络时，仅指SPNEGO (Negotiate)、NTLM和Kerberos，而不涉及任何其他身份验证机制。例如，作为LocalService运行的处理仍然可以访问internet。

The general issue with running as a standard out of the box account is that if you modify any of the default permissions you're expanding the set of things everything running as that account can do. So if you grant DBO to a database, not only can your service running as Local Service or Network Service access that database but everything else running as those accounts can too. If every developer does this the computer will have a service account that has permissions to do practically anything (more specifically the superset of all of the different additional privileges granted to that account).

从安全的角度来看，作为您自己的服务帐户运行总是更可取的，该帐户拥有您所需要的权限，只做您的服务所做的事情。但是，这种方法的成本是设置服务帐户和管理密码。这是每个应用程序都需要处理的平衡行为。

In your specific case, the issue that you are probably seeing is that the the DCOM or COM+ activation is limited to a given set of accounts. In Windows XP SP2, Windows Server 2003, and above the Activation permission was restricted significantly. You should use the Component Services MMC snapin to examine your specific COM object and see the activation permissions. If you're not accessing anything on the network as the machine account you should seriously consider using Local Service (not Local System which is basically the operating system).

在Windows Server 2003中，不能以

NT_AUTHORITY\LocalService(又名本地服务帐户)，或 NT AUTHORITY\NetworkService(又名网络服务帐户)。

这项功能只在任务调度器2.0中添加，它只存在于Windows Vista/Windows Server 2008及更新版本中。

作为NetworkService运行的服务在网络上显示机器凭据。这意味着如果你的计算机名为mango，它将显示为机器帐户mango $:

由于标准服务帐户的功能有这么多的困惑，我将尝试快速运行。

首先是实际账目:

LocalService account (preferred) A limited service account that is very similar to Network Service and meant to run standard least-privileged services. However, unlike Network Service it accesses the network as an Anonymous user. Name: NT AUTHORITY\LocalService the account has no password (any password information you provide is ignored) HKCU represents the LocalService user account has minimal privileges on the local computer presents anonymous credentials on the network SID: S-1-5-19 has its own profile under the HKEY_USERS registry key (HKEY_USERS\S-1-5-19)   NetworkService account Limited service account that is meant to run standard privileged services. This account is far more limited than Local System (or even Administrator) but still has the right to access the network as the machine (see caveat above). NT AUTHORITY\NetworkService the account has no password (any password information you provide is ignored) HKCU represents the NetworkService user account has minimal privileges on the local computer presents the computer's credentials (e.g. MANGO$) to remote servers SID: S-1-5-20 has its own profile under the HKEY_USERS registry key (HKEY_USERS\S-1-5-20) If trying to schedule a task using it, enter NETWORK SERVICE into the Select User or Group dialog   LocalSystem account (dangerous, don't use!) Completely trusted account, more so than the administrator account. There is nothing on a single box that this account cannot do, and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something) Name: .\LocalSystem (can also use LocalSystem or ComputerName\LocalSystem) the account has no password (any password information you provide is ignored) SID: S-1-5-18 does not have any profile of its own (HKCU represents the default user) has extensive privileges on the local computer presents the computer's credentials (e.g. MANGO$) to remote servers  

上面谈到访问网络时，仅指SPNEGO (Negotiate)、NTLM和Kerberos，而不涉及任何其他身份验证机制。例如，作为LocalService运行的处理仍然可以访问internet。

The general issue with running as a standard out of the box account is that if you modify any of the default permissions you're expanding the set of things everything running as that account can do. So if you grant DBO to a database, not only can your service running as Local Service or Network Service access that database but everything else running as those accounts can too. If every developer does this the computer will have a service account that has permissions to do practically anything (more specifically the superset of all of the different additional privileges granted to that account).

从安全的角度来看，作为您自己的服务帐户运行总是更可取的，该帐户拥有您所需要的权限，只做您的服务所做的事情。但是，这种方法的成本是设置服务帐户和管理密码。这是每个应用程序都需要处理的平衡行为。

In your specific case, the issue that you are probably seeing is that the the DCOM or COM+ activation is limited to a given set of accounts. In Windows XP SP2, Windows Server 2003, and above the Activation permission was restricted significantly. You should use the Component Services MMC snapin to examine your specific COM object and see the activation permissions. If you're not accessing anything on the network as the machine account you should seriously consider using Local Service (not Local System which is basically the operating system).

在Windows Server 2003中，不能以

NT_AUTHORITY\LocalService(又名本地服务帐户)，或 NT AUTHORITY\NetworkService(又名网络服务帐户)。

这项功能只在任务调度器2.0中添加，它只存在于Windows Vista/Windows Server 2008及更新版本中。

作为NetworkService运行的服务在网络上显示机器凭据。这意味着如果你的计算机名为mango，它将显示为机器帐户mango $: