แก้ไข

Service Accounts and BITS

  • บทความ

You can use BITS to transfer files from a service. The service must use the LocalSystem, LocalService, or NetworkService system account. These accounts are always logged on; therefore, jobs submitted by a service using these accounts always run.

If a service running under a system account impersonates the user before calling BITS, BITS responds as it would for any user account (for example, the user needs to be logged on to the computer for the transfer to occur). The service should also use dynamic cloaking with the BITS interface pointers when impersonating the user. Cloaking is not inherited, therefore you must call the CoSetProxyBlanket function on each interface pointer that you receive from BITS (for example, the job pointer returned from calling the IBackgroundCopyManager::CreateJob method); it is not enough to set cloaking on the manager interface pointer. You can also call the CoInitializeSecurity function for the process instead of calling the CoSetProxyBlanket function on each interface pointer.

However, if the service does not impersonate the user, the following behaviors apply:

  • Jobs created by the service account are owned by that account. Because system accounts are always logged on, BITS transfers the files as long as the computer is running and there is a network connection.
  • System accounts should not use mapped network drive letters because the drive letters are specific to a session and the mapping may be lost after a computer restart.
  • In the absence of a Helper Token, network authentication uses computer credentials for LocalSystem and NetworkService accounts and anonymous credentials for the LocalService account. BITS returns "access denied" if the access control list (ACL) for the source file limits access to a user account.
  • For details on how authentication works in the presence of a Helper Token, see Authentication.
  • Microsoft Internet Explorer proxy settings are stored per-user and are not set for system accounts. Consider configuring a helper token on your BITS jobs, or explicitly setting the correct proxy settings by calling IBackgroundCopyJob::SetProxySettings with BG_JOB_PROXY_USAGE_OVERRIDE. Alternatively, you can use the /Util /SetIEProxy switches of BitsAdmin.exe to set Internet Explorer proxy settings for the LocalSystem, LocalService, or NetworkService system account. For details, see BitsAdmin Tool.

Note that BITS does not recognize the proxy settings that are set using the Proxycfg.exe file.