Exchange Services Run Under LocalSystem

Article translations Article translations
Article ID: 239762 - View products that this article applies to.
This article was previously published under Q239762
Expand all | Collapse all


Exchange services are started under the LocalSystem security context rather than associating a specific user account (and password) to start these services. This way, no password changes or user account deletions will cause a problem or prevent Exchange from functioning properly. When an Exchange service that is running as "LocalSystem" accesses a remote server, Microsoft Windows 2000 authenticates it using the "credential" of the machine account of the server.


In both Microsoft Windows NT 4.0 and Windows 2000, there is an account called a machine account, which is a user account with a flag set to indicate that it is a machine account. Therefore, this account has all the attributes and functionality of a regular user account.

The machine account is used by the workstation to establish a secure channel to the domain controller (DC). As both the workstation and the DC know the password, the workstation can easily generate a session key, encrypt it with the password, send it to the DC, and then use the session key to secure all communications with the DC. User logons and change-password communications with the DC are done over this secure channel; because the channel is secure, passwords can be transmitted over it.

The password on the machine account is changed every seven days using the standard change-password mechanism. This makes the machine account much more secure than a typical user account where the password is not only changed less frequently, but is also likely to be less random than a randomly generated machine account password.

A new Global group has been created called "Exchange Domain Servers." Exchange 2000 Setup adds its machine account to this group when you install the server and removes it when you uninstall the server. The "Exchange Domain Servers" group is added as a member to all necessary groups and Access Control Lists to allow Exchange services to read from and write all necessary information to Active Directory.


Article ID: 239762 - Last Review: December 3, 2007 - Revision: 4.5
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange 2000 Server Standard Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
kbinfo KB239762

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from