What is "LSA" (Local System Account) ? How Powerful is this when compared to "User Account"?

Why most services and application runs under the privilege of "LSA" rather then "User Account" (Such as admin account)? Example: MSSQL$Applicationame ------This service always/should run under-----LSA Reason: One of the fundamental rules of the NT/2000/03 security model is that any entity that accesses a domain or machine resource must authenticate itself to a security authority. This rule applies to: 1)Users 2)Machines 3)Services. In the case of a domain, this authority is a domain controller (DC) In the case of a standalone machine, it's the Local Security Authority (LSA). When a service starts up, it authenticates to a security authority, which is why you must link an account to a service. Advantages of LSA: When you use regular user accounts to run an NT service, you must remember to change the password in the Service settings every time you change the account password. The alternative—running your service under the System account—has the key advantage that it never requires a password change. In NT/2000/03 the System account has no password. You all must have noticed ,when we go to ---services applet----double click on MSSQL$Applicationame ---we see two accounts. 1) LSA for which we don't insert any password. we just select the radio button. 2) User account for which we specify the user and password. LSA,Powerful? The Local System account (LSA) has the highest possible privileges on a local NT/2000/03 machine. However, although this account can access anything and do anything on the local machine, it has no permissions on any other machine. The System account's (LSA) lack of other permissions is a logical consequence of its not having a password. On the one hand, without a password, it can't authenticate to another machine. On the other hand, not having to deal with password changes is an advantage but at the same it can just expose the whole OS to the user.