?
Solved

Local SYSTEM account, analyzing security settings

Posted on 2004-09-11
6
Medium Priority
?
198 Views
Last Modified: 2013-12-04
I use a W2K server with a group policy, that makes some W2K Prof machines auto-install an msi file.

The W2K prof machine starts up and shows that it starts installing the msi file, but only for a second. The package was not installed.

In the event log you can see an error that says that the source for the package cannot be found. Microsoft describes this case in Q278472. Installing the package by hand works well (being Administrator). The package is located on a network share, on the DC. I have tested several ways when putting the package into group policy, like "\\servername\..." or "\\192.168.1.6\..." etc, but nothing works. I have checked the security credentials for the share, for the subfolder and all in-between folders. "SYSTEM" is there and has always full access. I also included the machine's local account (in security settings, I can browse for objects and selected the computer symbol of the W2K Prof PC), also with full access.

Now I want to test if the local SYSTEM account of the W2K Prof machine has really access to the target folder. But how ?

I know two years ago I managed to open a CMD window by using the task planner (and just saying "start cmd.exe in one minute"), but there must have been an additionyl trick.

Any idea anyone ?

Or, can I change a service on the local machine to run the installation under another account ?

There may be some reason for SYSTEM not being able to have access (english W2K server after initial german W2K server installation, several W2K Prof machines were built with a partition image and then NewSID was used, ...)
0
Comment
Question by:PC-Alex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 5

Expert Comment

by:burningmace
ID: 12033963
I'm not sure if this will help, but you can configure services to run under another username by doing the following:

1) Right click the taskbar and click properties
2) Go to the Start Menu tab and click "Customize..."
3) Go to the Advanced tab and scroll all the way to the bottom
4) Under "System Administrative Tools" choose "Display on the All Programs menu and the Start menu"
5) Click OK on both windows.
6) Click Start -> Administrative Tools -> Services
7) Find the service you want and double-click it.
8) Go the the LogOn tab and select "This Account"
9) Use "Browse..." to find the account and type the password into the two boxes.

Hope it's usefull
0
 
LVL 1

Author Comment

by:PC-Alex
ID: 12034187
Hallo burningmace,

*how* to assign another user I already knew, but *which* service is the one to enforce the group policy (and to install the msi package) is the question. And, of course: What happens to my system if a system service now runs under a different user :-)

Thank you anyway.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1500 total points
ID: 12039276
You should get your "system simulation access" by opening a command prompt, then entering
at <CurrentTime + 2 minutes> /interactive cmd
After about two minutes (you can add 1 minute only, if you're typing fast enough ...), a new command window will pop up; this one will run under the system account.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 1

Author Comment

by:PC-Alex
ID: 12039521
Thanks oBdA. I can test it tomorrow in the office.
0
 
LVL 5

Expert Comment

by:burningmace
ID: 12043889
Group policies can be tricky buggers, when things go wrong I just abandon the install-at-boot using msiconfig and "Run As..." (Right Click -> Run As...) the MSI.

I've found it useful in games, especially Max Payne, which seems to hate non-admin accounts.
0
 
LVL 1

Author Comment

by:PC-Alex
ID: 12057923
Thanks, oBdA, with this command I managed to open a DOS box and find out why it didn't work.

The workstations authenticate on the 2000Server as "ANONYMOUS LOGON". So I could extend the security settings and now the GP - Installations work.

burningmace, where can I apply for being hired ? I'd like my company installing games centrally ;-)
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
OfficeMate Freezes on login or does not load after login credentials are input.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month15 days, 1 hour left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question