On the Service Account Selection page in the Active Directory Lightweight Directory Services Setup Wizard, you must select a service account for use by this instance of Active Directory Lightweight Directory Services (AD LDS). The account that you select determines the security context in which the AD LDS instance runs. Changing the service account after installation may require some additional configuration.

In most cases, the Active Directory Lightweight Directory Services Setup Wizard defaults to the Network Service account as the service account. The Network Service account is a special, built-in account, with authority similar to the authority of an authenticated user account.

The name of the account is NT AUTHORITY\NetworkService. The Network Service account has limited access to the local computer. It has authenticated access, as the computer account, to network resources. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources using the credentials of the computer account.

Notes
  • To enable auditing for an AD LDS instance that runs under a service account other than the Network Service account, you must grant the Generate security audits right to the account that is used as the AD LDS service account.
  • To enable a workstation or domain user account as a service account, you must grant the Log on as a service right to the account that is used as the AD LDS service account.

Additional references