I have a script that runs at system startup via group policy. It runs under the NT AUTHORITY\SYSTEM user account. This script needs to access some files on a network share. It can successfully access shares where Everyone has been granted access, but if I have a share to a folder where only NT AUTHORITY\SYSTEM has been given access, I get an access denied message.
To duplicate this behavior, create a share on SystemA (Windows 2003) set the share permissions to Everyone:F, set the folder permissions to Everyone:R
On SystemB (Windows XP SP3) start a process as NT AUTHORITY\SYSTEM ie AT [SomeTimeSoon] /INTERACTIVE %windir%\system32\cmd.exe
Under the newly created process confirm your access token (AT) via whoami /all:
[User] = "NT AUTHORITY\SYSTEM" S-1-5-18
[Group 1] = "BUILTIN\Administrators" S-1-5-32-544
[Group 2] = "Everyone" S-1-1-0
[Group 3] = "NT AUTHORITY\Authenticated Users" S-1-5-11
Try to access the share on SystemA:
Change the folder permissions on the share by removing Everyone:R and add SYSTEM:R
Confirm the permissions change using FileACL:
Try to access the share from SystemB:
Access is denied.
Why is NT Authority\SYSTEM denied access when there is an ACE that allows access?