access network share via service using a non LocalSystem Account

[Florian Rosenauer]

Hi,

I cannot access network shares (mapped to drive letters) from a
service.
The Service (srvany with Cruise Control) is configured to run as a
local user account, not LocalSystem.

When I log in as the same local user and execute the batch file
everything works.
When I run it using the MS Taskplanner Service as a task configured to
run as the local user account everything works.

I do not understand why executing a process using the context of a
local user behaves different based on how it is called.
The only difference is that mstask.exe creates a visible windows
whereas srvany does not?

Does anyone habe an idea?

Thanks
Florian

 

[Pegasus \(MVP\)]

Hi,

I cannot access network shares (mapped to drive letters) from a
service.
The Service (srvany with Cruise Control) is configured to run as a
local user account, not LocalSystem.

When I log in as the same local user and execute the batch file
everything works.
When I run it using the MS Taskplanner Service as a task configured to
run as the local user account everything works.

I do not understand why executing a process using the context of a
local user behaves different based on how it is called.
The only difference is that mstask.exe creates a visible windows
whereas srvany does not?

Does anyone habe an idea?

Thanks
Florian

You write:

When I log in as the same local user and execute the batch file
everything works.
When I run it using the MS Taskplanner Service as a task configured to
run as the local user account everything works.

Isn't there a "not" missing somewhere in the second statement?

If so then I suggest you post the batch file you use.

 

[Florian Rosenauer]

You write:
When I log in as the same local user and execute the batch file

Isn't there a "not" missing somewhere in the second statement?

If so then I suggest you post the batch file you use

My Batch File (anonymonized)
net use
net use F: /delete
net use F: \\server\share password /user:domain\domainuser
dir F:

there is no "NOT" missing.
when running as local logged in user it works
when running via Task-Planner Service as local user it works
when running via srvany (from cruise control) as local user it does
not work

the taskplanner service runs as LocalSystem und starts my batch file
using the security context of the local user
the srvany runs as local user and therefore any sub-process runs as
local user (I already checked that using sysinternals process
explorer)

the output of "net use" is interesting: as local user and via task-
planner it shows the permanent connected drives, running it via
crusiecontrol it says there are no entries in the list
but the "net use F: \\server\share password /user:domain\domainuser"
tells me that the local drive letter is already used (error 85)

it's confusing

 

[Pegasus \(MVP\)]

My Batch File (anonymonized)
net use
net use F: /delete
net use F: \\server\share password /user:domain\domainuser
dir F:

there is no "NOT" missing.
when running as local logged in user it works
when running via Task-Planner Service as local user it works
when running via srvany (from cruise control) as local user it does
not work

the taskplanner service runs as LocalSystem und starts my batch file
using the security context of the local user
the srvany runs as local user and therefore any sub-process runs as
local user (I already checked that using sysinternals process
explorer)

the output of "net use" is interesting: as local user and via task-
planner it shows the permanent connected drives, running it via
crusiecontrol it says there are no entries in the list
but the "net use F: \\server\share password /user:domain\domainuser"
tells me that the local drive letter is already used (error 85)

it's confusing

This is easy to deconfuse. Run this modified batch file, then
have a look at c:\test.log.
@echo off
echo %date% %time% %UserName% > c:\test.log
net use 1>> c:\test.log 2>>&1
net use F: /delete 1>> c:\test.log 2>>&1
net use F: \\server\share password /user:domain\domainuser 1>> c:\test.log
2>>&1
dir F: 1>> c:\test.log 2>>&1
echo. 1>> c:\test.log

There is one thing you must realise: Making drives mapped in
a foregroud session available to a background session would
be a security violation. Hence drive F: might be mapped in
the foreground and thus not accessible, deletable or reassignable
to your background session. The problem is easily overcome
by using UNC coding for all background processes.

 

[Florian Rosenauer]

There is one thing you must realise: Making drives mapped in
a foregroud session available to a background session would
be a security violation. Hence drive F: might be mapped in
the foreground and thus not accessible, deletable or reassignable
to your background session. The problem is easily overcome
by using UNC coding for all background processes

Thank you for deconfusing me ;-)
I was not aware of the fact that there are differences between a
foreground and a background session (althought the drive letters are
shared im some curious way). I changed my build process to use UNC and
everything works fine now.

my access method looks like this now:
net use >> log.txt 2>&1
net use \\server\share /delete >> log.txt 2>&1
net use \\server\share password /user:domain\domainuser >> log.txt
2>&1
dir \\server\share >> log.txt 2>&1

Thank you very much!

Kind regards
Florian

 

[Pegasus \(MVP\)]

Thank you for deconfusing me ;-)
I was not aware of the fact that there are differences between a
foreground and a background session (althought the drive letters are
shared im some curious way). I changed my build process to use UNC and
everything works fine now.

my access method looks like this now:
net use >> log.txt 2>&1
net use \\server\share /delete >> log.txt 2>&1
net use \\server\share password /user:domain\domainuser >> log.txt
2>&1
dir \\server\share >> log.txt 2>&1

Thank you very much!

Kind regards
Florian

Thanks for the feedback. Remember to remove the diagnostic
stuff from your batch file - it serves no useful purpose now.