Windows – Computer account (SYSTEM) across the network

accountsshareswindows

I have an interesting problem… I need the local SYSTEM account on one server to access a specific network share on another server. Due to other reasons I can't use a regular domain account for the time being.

Using "psexec -s" I have played around with connecting to network shares under the local SYSTEM account with "net use". Since I am in a domain, I can simply add the DOMAIN\COMPUTER$ account to the share and NTFS permissions.

That seems to work fine everywhere except for one server. If I add "Everyone" to the share and NTFS, then that one server can connect. I noticed in the NTFS permissions (Security tab) that all the other servers I add have a computer icon on the left. This one server has a user icon. When adding the account I specifically said to only search for computers in the domain. And if I don't select computers, it never finds the account.

Basically, it seems the server account in the domain is different/corrupt in some way. Has anyone come across this? I would try re-adding the server, but it's critical and needs to be up as much as possible. I'm hoping there is a solution within Active Directory or something…

Best Answer

As a general rule you are better off using the "Authenticated Users" group instead of the "Everyone" group. Functionally, they are nearly identical in most practical ways and slightly more secure.

Related Solutions

Windows – Useful Command-line Commands on Windows

A little known one is

getmac

It shows the MAC address(es) of your network adapter(s).

Screenshot of running getmac from a Windows commandline window.

Windows – Network Service account accessing a folder share

The "Share Permissions" can be "Everyone / Full Control"-- only the NTFS permissions really matter. (Cue religious arguments from people who have an unhealthy attachment to "Share Permissions" here...)

In the NTFS permissions on the folder on ServerB you could get by with either "DOMAIN\ServerA - Modify" or "DOMAIN\ServerA - Write", depending on whether it needed to be able to modify existing files or not. (Modify is really the preferred because your application may re-open a file after it creates it to write further-- Modify gives it that right, but Write does not.)

Only the "SYSTEM" and "Network Service" contexts on ServerA will have access, assuming you name "DOMAIN\ServerA" in the permission. Local user accounts on the ServerA computer are different from the "DOMAIN\ServerA" context (and would have to be named individually if you somehow did want to grant them access).

As an aside: Server computer roles change. You may want to create a group in the AD for this role, put ServerA into that group, and grant the group rights. If you ever change ServerA's role and replace it with, say, ServerC, you need only change the group memberships and you never need to touch the folder permission again. A lot of admins think about this kind of thing for users being named in permissions, but they forget that "computers are people too" and their roles sometimes change. Minimizing your work in the future (and your ability to make mistakes) is what being efficient in this game is all about...

Related Topic