Windows box (2k3). I have a website that needs to access files over a network share on the local machine. Please don't concentrate on this fact. Its a long story I won't go into now.
The worker process is running under localmachine\NETWORK SERVICE. This was added to a group (lets call it the HURFDURFGROUP) which was granted access both to the disk and to the network share.
In other words, if I was a member of HURFDURFGROUP I could log onto the share and open files contained there.
However, even though NETWORK SERVICE was a member of this group, NETWORK SERVICE was not able to access the network share. Attempts to read files would result in a FileNotFound and attempts to alter security of files on the share resulted in a UnauthorizedAccess.
The odd thing is, once I specifically set NETWORK SERVICE's permissions on the disk and the share everything worked.
This leads me to believe you cannot use Groups to assign or deny rights to NETWORK SERVICE.
Is this correct? Could somebody explain this?
Best Answer
I was trying to find what I remember to be a MS blog post about the "network service" account however I was unable to locate it in a quick search through my bookmarks. At any rate what I recall from it is that indeed this account is considered a special user account that while having additional security authorizations not normally assigned to a basic user account it also is strapped with other limitations. If I recall the accounts ability connect to network resources is one of those limitations.
That being said though I can also tell you that I have been in a similar sounding situation and there are ways to make things work. I can tell you that in instances where I have web services that need to access network resources as a part of it's functions as the app pool identity we specify a domain based account which would be a member of your HURFDURFGROUP group for it's share access. Then to make it a functional service account for the IIS app pools you make sure it's a member of the local IIS_WPG group as well as running "aspnet_regiis" with the -ga domain\username from the version of asp.net framework you are using. This essentially will grant that account all of the permissions necessary for it to function as the apppool identity for that local system.
Not exactly a direct answer to your question, but perhaps will be helpful anyway.