• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4408
  • Last Modified:

localsystem account can not access to share

Why localsystem account can not access some shares like \\dc-Server\netlogon (I give full control on share and ntfs to computer account, but it does not helped), from other side it can access to \\file-server\dfs-root\.

Do I understand corectly that localsystem working on remote servers under machine account?
Do I need speacial permissions for shares to access without user profile?
0
Jonathan-Ravzin
Asked:
Jonathan-Ravzin
  • 9
  • 6
  • 3
1 Solution
 
KCTSCommented:
I don't quite understand what you are trying to do. The local system account  - as the name suggests - is designed to access the local system  - not to connect to external shares
0
 
Jonathan-RavzinAuthor Commented:
I did computer start script and I also try with at command to run schedualer under local system account, in both cases I have problem to access to share folders except dfs-root shares.
0
 
JSoupCommented:
localsystem account
user account
are not the same account or type
You realy need to provided details.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
JSoupCommented:
localsystem account is by design forbidden to access Network resources.
User account is by design to access Network resources.  But the share permission and NTFS permission apply.
0
 
Jonathan-RavzinAuthor Commented:
Sorry.

I did computer Start-up script  in GPO i add this line    \\dc-server\netlogon\start-up.bat
and on users workstations I got access denied in event viewer.

I moved the script to \\dc-server\dfs-root folder   and it works.

I tryed other share folders on other servers and got access denied.

0
 
JSoupCommented:
users workstations would be loged on username got access denied
What did the event viewer on the server say.
0
 
KCTSCommented:
If you want to run processes and scheduled tasks then you should really create an account especially for the purpose and give it the necessary rights. It is bad practice to use the system account or standard user accounts for this purpose.
0
 
Jonathan-RavzinAuthor Commented:
I want to use NTbackup for system-state backup on servers. I have some share to put all backups there.
I do not want to create user which can run process on server and his password will never be expired.

So I want to make schedualer task (by AT command) to run under local system account to make backup and put it to share, today I do it in 2 steps. First is to make backup and put it localy and second step I run copy process on backup server.

What do you suggest?
0
 
JSoupCommented:
NTbackup run on what XP or server ? is the share on a server?
0
 
KCTSCommented:
Create an account for the backup that is a member of the backup operatrors group and use that. This group has the ability to read data for the purpose of performing backups but is very restricted in other aspects.
0
 
Jonathan-RavzinAuthor Commented:
I have around 20 servers with local system backups and  external usb hard disk on my PC.

I do not want create user that have password that never expires and that can run processes on servers (including DC servers) only for backup.

I think it is good idea to run backup process as local system account (it is working good)  and put it to my external hard disk.

Besides that story I also have terminal server that must get update of our application exe file, so I do restarts at night in schedualer (otherwise if user forgot his session,  it will not copy and replace our exe file)  so I  machine sturt-up script to get exe from  distrubution share.

Besides that I want be able to install software from distribution server  in machine start-up (assign MSI to computer) but it also got access denied error to share. (Today I do it in 2 steps - copy to local with user accoung and installion on next restart from local under computer account)
0
 
JSoupCommented:
KCTS
If the share is not local the issue is "This group has the ability to read data for the purpose of performing backups but is very restricted in other aspects."
0
 
JSoupCommented:
Network flood to one location.
The Backup will take longer.  More than likely entering in to User logon time if Backup has not completed.
An external USB can be moved that negate the Share issue.
Consider>>> FTP with bandwidth control to transfer backup to USB.
0
 
Jonathan-RavzinAuthor Commented:
Thank you, but I am intresting in specific issue - how to enable localsystem account to access share folders on remote computer (I need it for start-up script and other schdeualer process).

0
 
JSoupCommented:
you need to consider another solution .
http://msdn2.microsoft.com/en-us/library/ms684190.aspx 
LocalSystem Account
The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService function, any password information you provide is ignored.

A service that runs in the context of the LocalSystem account inherits the security context of the SCM. The user SID is created from the SECURITY_LOCAL_SYSTEM_RID value. The account is not associated with any logged-on user account. This has several implications:



0
 
JSoupCommented:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Services/WindowsNTservicerunninginLocalSystemaccountcontext.html

REason Security
Windows NT services run as LocalSystem by default. LocalSystem is a predefined local account and any service running under LocalSystem:

The service can NOT open HKEY_CURRENT_USER .
The service can open HKEY_LOCAL_MACHINE\SECURITY.
The service has no network credentials and can only access network resources using a null session. If a share or pipe is accessible by >>Guest<< via a null session, it has access. There is a common misconception that a service running as LocalSystem has no network access.

0
 
Jonathan-RavzinAuthor Commented:

How can I enable on file server a  "null session"????
0
 
JSoupCommented:


Warning No Security. Not recomened
Use the guest Account..  
What Is A Null Session
 
http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsANullSession.html

A null session is how Windows represents an anonymous user. To understand how it is used, imagine the sort of code you have to write in a server to deal with authenticated clients. After authenticating a client using Kerberos (WhatIsKerberos), say, your server receives a token for that client that contains group SIDs, and you can use that token to perform access checks against ACL'd resources (WhatIsACLBasedSecurity). For instance, given the client's token it's quite easy to check whether that client should be granted write access to a file. We can simply impersonate the client (WhatIsImpersonation) and try to open the file for writing. The operating system will compare the DACL on the file with the client's token (that were impersonating) to make this determination. The administrator can control access to files by editing their ACLs. But what if you also service anonymous requeststhat is, those for which you won't get any token for the client at all? It's impossible to impersonate a client for whom you don't have a token.

NULL sessions restrictions of server and workstation RPC operations
For some of the lanmanserver and lanmanworkstation RPC services operations (srvsvc and wkssvc named pipes), restrictions are hardcoded and documented in MSDN, under the Security requirements section. Sometimes, depending on the requested information level, it is necessary (or not) to be a member of the Administrators or Account Operators local group.
See link for more details.

Not Sure for W2k3 but look at:
http://www.hsc.fr/ressources/articles/win_net_srv/null_session_restrictions_srvsvc_wkssvc.html

The following srvsvc operations can be used anonymously:
NetrShareEnum (levels 1 and 2 only)
NetrServerTransportEnum
In addition, on Windows 2000 workstation and member servers, the following srvsvc operations can be used anonymously if RestrictAnonymous is set to 0:
NetrServerGetInfo (levels 100 and 101 only
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 9
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now