Windows 7 introduced virtual accounts for services, NT SERVICE\service_name
they are low-privilege, do not need to be created (i.e they exist when service is created),have no password, and in kerberos envronment run as UPN machine account.
Overall, it is pretty much the same as NETWORK SERVICE account we used that far.
However, virtual accounts have better "granularity" than NETWORK SERVICE.
- File access control is better (one mariadb service does not access files from another service).
- Also privilege assignment if needed can be done per-user(per-service).
For example, to use large pages, one can give NT SERVICE\MariaDB SeLockMemoryPrivilege.
MDEV-22175). If we ever decide to use symbolic links, this privilege can be given to the service as well.