We help IT Professionals succeed at work.
Troubleshooting Question

What is a "System" user permissions in a Windows folder?

76 Views
Last Modified: 2020-10-15
I copied a shared folder to another folder in Windows Server 2016 & I noticed that the permissions has a "System" in it with "Full" permissions under the security tab?

Should we keep it that way? Or is it recommended to be accessed that way? What is the recommended way then? By groups?

Please advise, thanks.
Comment
Watch Question

CERTIFIED EXPERT

Commented:
system is a special passwordless account that runs many windows services and possesses high privileges. often higher than the local admin.

there is no reason why system would access most shares. if you share regular docs, trash that
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
There is no reason to remove the SYSTEM account. Usually, you leave the SYSTEM account as it is, add security groups, and assign permissions to them.

The fact is that Windows services run under the SYSTEM account (for instance indexing/searching) so if you remove it, these services will lose access to objects and won't work as usual.

Microsoft says: "The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them."
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts

CERTIFIED EXPERT

Commented:
obviously do not remove the account. you cannot anyway. i meant remove the useless permissions.
GiboSystems Engineer

Author

Commented:
So with "System" account user w/ full permissions, who are allowed to have full permissions on that shared folder then?

There are no groups other than domain & local group admins who have full permission to the shared folder.


CERTIFIED EXPERT

Commented:
so domain admins, and a bunch of already running services, and whatever malware will manage to run as system. this basically turns the next CVE which would allow to trash the system into something that might as well do worse such as encrypt your files. removing that priv does not make you immune but that is one less entrypoint.

CERTIFIED EXPERT

Commented:
as an examole, the ntp process that keeps the system time in sync would  be allowed to access your files. if a worm gets in there, bingo
GiboSystems Engineer

Author

Commented:
noted, so if the "System" account should stay there, what would be its safest permissions? I've asked the user which users or groups should have full permissions only to that shared drive.

I'm wondering too why some domain users are able to access that shared folder using the "System" account permissions?
CERTIFIED EXPERT

Commented:
nobody should ever logon as system so the answer is no one.

system is not a regular account. it is only used to run some builtin services and there is no reason why it would be allowed to access anything outside the system directories.

that said, administrators have the privilege to run processes as system which allows them to start and stop services. i see no other reason why any admin would ever need to run anything as system except for weird debug cases or mingling with the sam account's database.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
noted, so if the "System" account should stay there, what would be its safest permissions? I've asked the user which users or groups should have full permissions only to that shared drive. 
SYSTEM - don't change anything
Administrators - same as above, they both should have Full Control
Domain Users - we usually remove this group and replace it with a security group containing specific users
CustomSecGroup - contains specific users, you usually set permission per their needs (Read, Modify, etc...). You usually don't give them Full Control.

Also, it's a good practice to add security groups, not users alone.


GiboSystems Engineer

Author

Commented:
I'm wondering too why some domain users are able to access that shared folder using the "System" account permissions?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Can you share an example? I cannot imagine how this would be possible.

Don't you mean CREATOR OWNER?


GiboSystems Engineer

Author

Commented:
No, "System" account & local & domain administrators only have full permissions in the shared folder.
GiboSystems Engineer

Author

Commented:
& when I added the new security groups, the users in the group are still unable to have full access to the shared folder, does it take some time even after a reboot of their PCs?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
No, "System" account & local & domain administrators only have full permissions in the shared folder.
 This seems ok and normal. 

why some domain users are able to access that shared folder using the "System" account permissions?
The System account is a special account for Windows services. It's not related to domain users. 
GiboSystems Engineer

Author

Commented:
"& when I added the new security groups, the users in the group are still unable to have full access to the shared folder, does it take some time even after a reboot of their PCs?"
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
when I added the new security groups, the users in the group are still unable to have full access to the shared folder, does it take some time even after a reboot of their PCs?
If users are already a member of a security group, you simply add the security group to the list and users should have an access. Immediately.

If you have issues with this, check Effective Access on the folder. Open Permissions tab, Advanced, Effective Access tab, then select the user and click on View Effective Access to see where the problem is. 
GiboSystems Engineer

Author

Commented:
The groups that I added have all "X"s when I view their effective access? Why? How do we fix it?

However the users in the group have read/write permissions as limited by the share permissions.

Inheritance was disabled too.
CERTIFIED EXPERT

Commented:
regarding system, again those permissions are useless at best. all domain and local accounts are all unrelated to "system".

if the share is on a nas, chances are it does not run windows so permissions are often improperly mapped, espetially if admins ran chowns and chmods directly on the nas.

whether you are using a windows share or a posix like system, your best bet is probably to restore inheritance and reset adequate permissions recursively if possible.

Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
The groups that I added have all "X"s when I view their effective access? Why? How do we fix it?
Don't check effective access for groups. You have to select a user instead. 
GiboSystems Engineer

Author

Commented:
Yes HT, the groups do not have any permissions but the users in that group have, limited only by the shared permissions w/c are read/write versus NTFS' full permissions & those should be okay. Thanks.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
If you are limited by share permissions, set Everyone - Full Control.
GiboSystems Engineer

Author

Commented:
I can't since that folder needs to be accessed only by a few number of users w/c I added them to a newly created security group limited only by not having the right to change permissions & delete folders or sub folders.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
It's ok. If you set share permisions Everyone - Full Control, other users will see this folder but won't get into it unless you add them to the security group. I usually suggest this scenario to make it simple.
GiboSystems Engineer

Author

Commented:
Noted HT, if the users will make another request to have 100% full control then I'll add "Everyone" in the share permissions. Let's see if the read/write will suffice their needs or not.

Thanks.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Otherwise, add a security group to the share permissions and give it Full Control.
GiboSystems Engineer

Author

Commented:
Unfortunately the share permissions only allow a read only or read/write, there's no full control.

Unless you change the owner to a specific user.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Use Advanced Sharing.

Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Still, I prefer giving Everyone - Full Control. It's more simple and it does the job.
GiboSystems Engineer

Author

Commented:
If I go this route, will it delete the original share name & its permissions? Or still keep them?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
The folder will be still shared. Nothing will change about it.
GiboSystems Engineer

Author

Commented:
So what happens though with the original share name? Will it get overwritten with the new share name & its share permissions?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
The share name will stay the same. If you use Everyone - Full Control, share permissions won't be affected.
GiboSystems Engineer

Author

Commented:
Noted, probably I'll retain the share name to make it consistent & the share permissions will change i.e. adding "Everyone" w/ full control
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Ok, it will work.
GiboSystems Engineer

Author

Commented:
Noted w/ thanks
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
GiboSystems Engineer

Author

Commented:
Noted, the shared folder is currently still w/ read/write share & NTFS permissions only.
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
GiboSystems Engineer

Author

Commented:
What should be the share & NTFS permissions to allow a user to modify or change the folder's name?

Read/Write share permissions does not seem to work?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Overlooking this thread just by length, it's pretty obvious that you need to do simple tests to understand the basics before you go productive.

You activate sharing on a folder - default is: everyone:read. No matter what NTFS permissions are set, everyone can read but not write things in that folder and subfolders.
If sharing permissions are set to everyone modify, then the maximum someone can do in folders and subs is modify (read, write), but not change permissions. What effective permissions you get depends on what NTFS permissions are set on files and folders. Are those also modify, then users may modify. Are those read, users may read.

it's as simple as that, so please test this slowly and repeatedly.
CERTIFIED EXPERT

Commented:
ntfs has a rename privilege.

one issue is you do not use inheritage, so the user might not be able to rename newly created folders. including by himself.

another issue is if the share is non windows, unix perms would allow to rename files based on privileges on the parent directory so you might hit a bug in permissions translations.


given what i understand of your needs, it might be simpler to create a folder for each group manually and give them full privileges there, recursively


Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.