Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How do I grant NT AUTHORITY\SYSTEM File Permissions

Posted on 2008-11-20
2
Medium Priority
?
9,311 Views
Last Modified: 2013-12-04
I have a script that runs at system startup via group policy.  It runs under the NT AUTHORITY\SYSTEM user account.  This script needs to access some files on a network share.  It can successfully access shares where Everyone has been granted access, but if I have a share to a folder where only NT AUTHORITY\SYSTEM has been given access, I get an access denied message.

To duplicate this behavior, create a share on SystemA (Windows 2003) set the share permissions to Everyone:F, set the folder permissions to Everyone:R

On SystemB (Windows XP SP3) start a process as NT AUTHORITY\SYSTEM ie AT [SomeTimeSoon] /INTERACTIVE %windir%\system32\cmd.exe

Under the newly created process confirm your access token (AT) via whoami /all:
[User]     = "NT AUTHORITY\SYSTEM"  S-1-5-18

[Group  1] = "BUILTIN\Administrators"  S-1-5-32-544
[Group  2] = "Everyone"  S-1-1-0
[Group  3] = "NT AUTHORITY\Authenticated Users"  S-1-5-11

Try to access the share on SystemA:
DIR \\SystemA\Share
Successful listing.

Change the folder permissions on the share by removing Everyone:R and add SYSTEM:R
Confirm the permissions change using FileACL:
\\SystemA\Share;S-1-5-18:RX
\\SystemA\Share;S-1-5-32-544:F[I]

Try to access the share from SystemB:
DIR \\SystemA\Share
Access is denied.

Why is NT Authority\SYSTEM denied access when there is an ACE that allows access?
0
Comment
Question by:jasonclamb
2 Comments
 
LVL 86

Accepted Solution

by:
oBdA earned 1000 total points
ID: 23004504
Because the System account itself doesn't have any network credentials. When a process started by the system account tries to connect to a network resource, it will try to authenticate with the computer account. Give permissions to the computer account of SystemB (or add the computer account to a group with permissions), and it should work.
0
 

Author Closing Comment

by:jasonclamb
ID: 31518684
Excellent, I spent hours looking at this... I added Domain Computers to the ACL for the share.  Now I have to figure out what perms are necessary if the folder that the PCs need access is several deep.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question