Link to home
Start Free TrialLog in
Avatar of Jonathan-Ravzin
Jonathan-Ravzin

asked on

localsystem account can not access to share

Why localsystem account can not access some shares like \\dc-Server\netlogon (I give full control on share and ntfs to computer account, but it does not helped), from other side it can access to \\file-server\dfs-root\.

Do I understand corectly that localsystem working on remote servers under machine account?
Do I need speacial permissions for shares to access without user profile?
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

I don't quite understand what you are trying to do. The local system account  - as the name suggests - is designed to access the local system  - not to connect to external shares
Avatar of Jonathan-Ravzin
Jonathan-Ravzin

ASKER

I did computer start script and I also try with at command to run schedualer under local system account, in both cases I have problem to access to share folders except dfs-root shares.
localsystem account
user account
are not the same account or type
You realy need to provided details.
localsystem account is by design forbidden to access Network resources.
User account is by design to access Network resources.  But the share permission and NTFS permission apply.
Sorry.

I did computer Start-up script  in GPO i add this line    \\dc-server\netlogon\start-up.bat
and on users workstations I got access denied in event viewer.

I moved the script to \\dc-server\dfs-root folder   and it works.

I tryed other share folders on other servers and got access denied.

users workstations would be loged on username got access denied
What did the event viewer on the server say.
If you want to run processes and scheduled tasks then you should really create an account especially for the purpose and give it the necessary rights. It is bad practice to use the system account or standard user accounts for this purpose.
I want to use NTbackup for system-state backup on servers. I have some share to put all backups there.
I do not want to create user which can run process on server and his password will never be expired.

So I want to make schedualer task (by AT command) to run under local system account to make backup and put it to share, today I do it in 2 steps. First is to make backup and put it localy and second step I run copy process on backup server.

What do you suggest?
NTbackup run on what XP or server ? is the share on a server?
Create an account for the backup that is a member of the backup operatrors group and use that. This group has the ability to read data for the purpose of performing backups but is very restricted in other aspects.
I have around 20 servers with local system backups and  external usb hard disk on my PC.

I do not want create user that have password that never expires and that can run processes on servers (including DC servers) only for backup.

I think it is good idea to run backup process as local system account (it is working good)  and put it to my external hard disk.

Besides that story I also have terminal server that must get update of our application exe file, so I do restarts at night in schedualer (otherwise if user forgot his session,  it will not copy and replace our exe file)  so I  machine sturt-up script to get exe from  distrubution share.

Besides that I want be able to install software from distribution server  in machine start-up (assign MSI to computer) but it also got access denied error to share. (Today I do it in 2 steps - copy to local with user accoung and installion on next restart from local under computer account)
KCTS
If the share is not local the issue is "This group has the ability to read data for the purpose of performing backups but is very restricted in other aspects."
Network flood to one location.
The Backup will take longer.  More than likely entering in to User logon time if Backup has not completed.
An external USB can be moved that negate the Share issue.
Consider>>> FTP with bandwidth control to transfer backup to USB.
Thank you, but I am intresting in specific issue - how to enable localsystem account to access share folders on remote computer (I need it for start-up script and other schdeualer process).

ASKER CERTIFIED SOLUTION
Avatar of JSoup
JSoup
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Services/WindowsNTservicerunninginLocalSystemaccountcontext.html

REason Security
Windows NT services run as LocalSystem by default. LocalSystem is a predefined local account and any service running under LocalSystem:

The service can NOT open HKEY_CURRENT_USER .
The service can open HKEY_LOCAL_MACHINE\SECURITY.
The service has no network credentials and can only access network resources using a null session. If a share or pipe is accessible by >>Guest<< via a null session, it has access. There is a common misconception that a service running as LocalSystem has no network access.


How can I enable on file server a  "null session"????


Warning No Security. Not recomened
Use the guest Account..  
What Is A Null Session
 
http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsANullSession.html

A null session is how Windows represents an anonymous user. To understand how it is used, imagine the sort of code you have to write in a server to deal with authenticated clients. After authenticating a client using Kerberos (WhatIsKerberos), say, your server receives a token for that client that contains group SIDs, and you can use that token to perform access checks against ACL'd resources (WhatIsACLBasedSecurity). For instance, given the client's token it's quite easy to check whether that client should be granted write access to a file. We can simply impersonate the client (WhatIsImpersonation) and try to open the file for writing. The operating system will compare the DACL on the file with the client's token (that were impersonating) to make this determination. The administrator can control access to files by editing their ACLs. But what if you also service anonymous requeststhat is, those for which you won't get any token for the client at all? It's impossible to impersonate a client for whom you don't have a token.

NULL sessions restrictions of server and workstation RPC operations
For some of the lanmanserver and lanmanworkstation RPC services operations (srvsvc and wkssvc named pipes), restrictions are hardcoded and documented in MSDN, under the Security requirements section. Sometimes, depending on the requested information level, it is necessary (or not) to be a member of the Administrators or Account Operators local group.
See link for more details.

Not Sure for W2k3 but look at:
http://www.hsc.fr/ressources/articles/win_net_srv/null_session_restrictions_srvsvc_wkssvc.html

The following srvsvc operations can be used anonymously:
NetrShareEnum (levels 1 and 2 only)
NetrServerTransportEnum
In addition, on Windows 2000 workstation and member servers, the following srvsvc operations can be used anonymously if RestrictAnonymous is set to 0:
NetrServerGetInfo (levels 100 and 101 only