Hi Experts, I met a strange problem with local system account. My OS was Windows Server 2008, and a IBM Tivoli agent was installed on that. In normal, the service logons with local system account to add user into AD. But i do not know what happen to the system the local system account cannot be used anymore. From the Tivoli side, i got an error "Create user failed. Error creating user account for aaaaaa3. Error: 0x80070005 - Access is denied." I tride to reinstall the agent on Windows, but no help. The only way i can do to walk around was set the logon with administrator or the users belongs to administrators group. As i know local system account can do anything on the local machine, but why it cannot be used to add user into AD?? Thanks so much!

Hello, Seems this is a user privilege issue in IBM Tivoli Identity Manager. A helpful discussion for your reference:http://www.ibm.com/developerworks/forums/thread.jspa?threadID=390222Regards, Ravikumar P

Hello, Seems this is a user privilege issue in IBM Tivoli Identity Manager. A helpful discussion for your reference:http://www.ibm.com/developerworks/forums/thread.jspa?threadID=390222Regards, Ravikumar P

As i know local system account can do anything on the local machine, but why it cannot be used to add user into AD?? Thanks so much! Your statement it self has the answer for your question :-) System account will have privileges on only local machine to which it belongs to, you need a domain account with appropriate permissions which can add/modify the records in active directory. Instead of local account, use a domain service account, make sure service account has local admin permissions on the machine in question and you should not have access denied issues. I am no expert on Tivoli products so won't be able to comment on that. If you need second thought, you might want to post the query in Tivoli forums. Link posted by Ravikumar might as well help in your case.I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

As i know local system account can do anything on the local machine, but why it cannot be used to add user into AD?? Thanks so much! Your statement it self has the answer for your question :-) System account will have privileges on only local machine to which it belongs to, you need a domain account with appropriate permissions which can add/modify the records in active directory. Instead of local account, use a domain service account, make sure service account has local admin permissions on the machine in question and you should not have access denied issues. I am no expert on Tivoli products so won't be able to comment on that. If you need second thought, you might want to post the query in Tivoli forums. Link posted by Ravikumar might as well help in your case.I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Thanks so much!

Hi, Thanks for your kindly reply. But i still have something unclear in my mind, i'm long for your help to clarify. As you mentioned, the IBM Tivoli agent should use the domain user or the service user with appropriate rights to do actions to AD. But if in the domain there's only one Domain controller that means there's only one AD in the domain. In that way, should the local system account in that DC have rights to access it's own AD?? And in the past, the local system account could be used to access AD, but i've no idea when or what changed impact the account that it cannot be used anymore... :(

One advantage of running under the LocalSystem account is that the service has complete unrestricted access to local resources. This is also the disadvantage of LocalSystem because a LocalSystem service can do things that would bring down the entire system. In particular, a service running as LocalSystem on a domain controller (DC) has unrestricted access to Active Directory Domain Services. This means that bugs in the service, or security attacks on the service, can damage the system or, if the service is on a DC, damage the entire enterprise network. For these reasons, domain administrators at sensitive installations will be cautious about allowing services to run as LocalSystem. In fact, they may have policies against it, especially on DCs. If your service must run as LocalSystem, the documentation for your service should justify to domain administrators the reasons for granting the service the right to run at elevated privileges. Services should never run as LocalSystem on a domain controller. When a service runs under the LocalSystem account on a computer that is a domain member, the service has whatever network access is granted to the computer account, or to any groups of which the computer account is a member. Ref: http://msdn.microsoft.com/en-us/library/windows/desktop/ms677973(v=vs.85).aspxI do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Hi Santhosh, Thanks so much for your clear explanation. I think i know what you mean. :) Br, Fiona