jasonclamb
asked on
How do I grant NT AUTHORITY\SYSTEM File Permissions
I have a script that runs at system startup via group policy. It runs under the NT AUTHORITY\SYSTEM user account. This script needs to access some files on a network share. It can successfully access shares where Everyone has been granted access, but if I have a share to a folder where only NT AUTHORITY\SYSTEM has been given access, I get an access denied message.
To duplicate this behavior, create a share on SystemA (Windows 2003) set the share permissions to Everyone:F, set the folder permissions to Everyone:R
On SystemB (Windows XP SP3) start a process as NT AUTHORITY\SYSTEM ie AT [SomeTimeSoon] /INTERACTIVE %windir%\system32\cmd.exe
Under the newly created process confirm your access token (AT) via whoami /all:
[User] = "NT AUTHORITY\SYSTEM" S-1-5-18
[Group 1] = "BUILTIN\Administrators" S-1-5-32-544
[Group 2] = "Everyone" S-1-1-0
[Group 3] = "NT AUTHORITY\Authenticated Users" S-1-5-11
Try to access the share on SystemA:
DIR \\SystemA\Share
Successful listing.
Change the folder permissions on the share by removing Everyone:R and add SYSTEM:R
Confirm the permissions change using FileACL:
\\SystemA\Share;S-1-5-18:R X
\\SystemA\Share;S-1-5-32-5 44:F[I]
Try to access the share from SystemB:
DIR \\SystemA\Share
Access is denied.
Why is NT Authority\SYSTEM denied access when there is an ACE that allows access?
To duplicate this behavior, create a share on SystemA (Windows 2003) set the share permissions to Everyone:F, set the folder permissions to Everyone:R
On SystemB (Windows XP SP3) start a process as NT AUTHORITY\SYSTEM ie AT [SomeTimeSoon] /INTERACTIVE %windir%\system32\cmd.exe
Under the newly created process confirm your access token (AT) via whoami /all:
[User] = "NT AUTHORITY\SYSTEM" S-1-5-18
[Group 1] = "BUILTIN\Administrators" S-1-5-32-544
[Group 2] = "Everyone" S-1-1-0
[Group 3] = "NT AUTHORITY\Authenticated Users" S-1-5-11
Try to access the share on SystemA:
DIR \\SystemA\Share
Successful listing.
Change the folder permissions on the share by removing Everyone:R and add SYSTEM:R
Confirm the permissions change using FileACL:
\\SystemA\Share;S-1-5-18:R
\\SystemA\Share;S-1-5-32-5
Try to access the share from SystemB:
DIR \\SystemA\Share
Access is denied.
Why is NT Authority\SYSTEM denied access when there is an ACE that allows access?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER