How do I grant NT AUTHORITY\SYSTEM File Permissions

Posted on 2008-11-20
Last Modified: 2013-12-04
I have a script that runs at system startup via group policy.  It runs under the NT AUTHORITY\SYSTEM user account.  This script needs to access some files on a network share.  It can successfully access shares where Everyone has been granted access, but if I have a share to a folder where only NT AUTHORITY\SYSTEM has been given access, I get an access denied message.

To duplicate this behavior, create a share on SystemA (Windows 2003) set the share permissions to Everyone:F, set the folder permissions to Everyone:R

On SystemB (Windows XP SP3) start a process as NT AUTHORITY\SYSTEM ie AT [SomeTimeSoon] /INTERACTIVE %windir%\system32\cmd.exe

Under the newly created process confirm your access token (AT) via whoami /all:
[User]     = "NT AUTHORITY\SYSTEM"  S-1-5-18

[Group  1] = "BUILTIN\Administrators"  S-1-5-32-544
[Group  2] = "Everyone"  S-1-1-0
[Group  3] = "NT AUTHORITY\Authenticated Users"  S-1-5-11

Try to access the share on SystemA:
DIR \\SystemA\Share
Successful listing.

Change the folder permissions on the share by removing Everyone:R and add SYSTEM:R
Confirm the permissions change using FileACL:

Try to access the share from SystemB:
DIR \\SystemA\Share
Access is denied.

Why is NT Authority\SYSTEM denied access when there is an ACE that allows access?
Question by:jasonclamb
    LVL 82

    Accepted Solution

    Because the System account itself doesn't have any network credentials. When a process started by the system account tries to connect to a network resource, it will try to authenticate with the computer account. Give permissions to the computer account of SystemB (or add the computer account to a group with permissions), and it should work.

    Author Closing Comment

    Excellent, I spent hours looking at this... I added Domain Computers to the ACL for the share.  Now I have to figure out what perms are necessary if the folder that the PCs need access is several deep.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now