How does Local System Account bypass file permissions during a backup?

[Tommy Gilchrist]

Folks

I wonder could you shed some light on a problem we're having.

The nature of the problem is very odd in that I'm arguing with a
backup vendor who shall remain nameless over a feature that I need,
that any backup software should be able to do, that their software
seems to be capable of doing but (and this is the odd bit) they claim
their software CAN'T do!

The backup agent runs under the local system account and the vendor is
claiming that this means that all files must have "SYSTEM" granted
read access in order to guarantee a successful backup. Given that
there are about 100 file servers hosting millions of files in the
enviroment and multiple people have access to change permissions this
obviously can't be guaranteed.

However I can create files, give them very restricted permissions,
even remove all permissions and the backup program can back them up
successfully. I've tested this on Windows NT 4.0, 2000 and 2003.

What may help move the discussion forward is an understanding of how
the local system account accesses files. I understand that members of
the Backup Operators group and the Administrators group get the "Back
up files and folders" permission which will permit this. However the
SYSTEM account isn't a member of either group by default.

Is the SYSTEM account the same as the Local System Account services
run under. Does the Local System Account have these permissions
automatically or is this not relevant at all and am I barking up the
wrong tree?

thanks

tommy

 

[Pegasus \(MVP\)]

Folks

I wonder could you shed some light on a problem we're having.

The nature of the problem is very odd in that I'm arguing with a
backup vendor who shall remain nameless over a feature that I need,
that any backup software should be able to do, that their software
seems to be capable of doing but (and this is the odd bit) they claim
their software CAN'T do!

The backup agent runs under the local system account and the vendor is
claiming that this means that all files must have "SYSTEM" granted
read access in order to guarantee a successful backup. Given that
there are about 100 file servers hosting millions of files in the
enviroment and multiple people have access to change permissions this
obviously can't be guaranteed.

However I can create files, give them very restricted permissions,
even remove all permissions and the backup program can back them up
successfully. I've tested this on Windows NT 4.0, 2000 and 2003.

What may help move the discussion forward is an understanding of how
the local system account accesses files. I understand that members of
the Backup Operators group and the Administrators group get the "Back
up files and folders" permission which will permit this. However the
SYSTEM account isn't a member of either group by default.

Is the SYSTEM account the same as the Local System Account services
run under. Does the Local System Account have these permissions
automatically or is this not relevant at all and am I barking up the
wrong tree?

thanks

tommy

The SYSTEM account has implicit access permissions to all local
files and folders (but not to networked resources). This is independent
of any NTFS permissions that you might set.

 

[Tommy Gilchrist]

The SYSTEM account has implicit access permissions to all local
files and folders (but not to networked resources). This is independent
of any NTFS permissions that you might set.

Thanks for this. I suspected it was something of this nature.

Do you know if this is documented anywhere, preferably on one of
Microsoft's sites?

tommy

 

[Marco]

1st line says it all:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/the_localsystem_account.asp

cheers,

Marco