How do I grant NT AUTHORITY\SYSTEM File Permissions

I have a script that runs at system startup via group policy.  It runs under the NT AUTHORITY\SYSTEM user account.  This script needs to access some files on a network share.  It can successfully access shares where Everyone has been granted access, but if I have a share to a folder where only NT AUTHORITY\SYSTEM has been given access, I get an access denied message.

To duplicate this behavior, create a share on SystemA (Windows 2003) set the share permissions to Everyone:F, set the folder permissions to Everyone:R

On SystemB (Windows XP SP3) start a process as NT AUTHORITY\SYSTEM ie AT [SomeTimeSoon] /INTERACTIVE %windir%\system32\cmd.exe

Under the newly created process confirm your access token (AT) via whoami /all:
[User]     = "NT AUTHORITY\SYSTEM"  S-1-5-18

[Group  1] = "BUILTIN\Administrators"  S-1-5-32-544
[Group  2] = "Everyone"  S-1-1-0
[Group  3] = "NT AUTHORITY\Authenticated Users"  S-1-5-11

Try to access the share on SystemA:
DIR \\SystemA\Share
Successful listing.

Change the folder permissions on the share by removing Everyone:R and add SYSTEM:R
Confirm the permissions change using FileACL:
\\SystemA\Share;S-1-5-18:RX
\\SystemA\Share;S-1-5-32-544:F[I]

Try to access the share from SystemB:
DIR \\SystemA\Share
Access is denied.

Why is NT Authority\SYSTEM denied access when there is an ACE that allows access?
jasonclambAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
Because the System account itself doesn't have any network credentials. When a process started by the system account tries to connect to a network resource, it will try to authenticate with the computer account. Give permissions to the computer account of SystemB (or add the computer account to a group with permissions), and it should work.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jasonclambAuthor Commented:
Excellent, I spent hours looking at this... I added Domain Computers to the ACL for the share.  Now I have to figure out what perms are necessary if the folder that the PCs need access is several deep.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.