Local System account and network resource access

[Guest]

Does anyone know whether the system account NT AUTHORITY/SYSTEM is able to
access network resource like ordinary authenticated user?

According to my research it appears it should be able. I have tried it but
it always give me an "Access denied" error message. I simply try to do a "dir
\\xxx.xx.xx.xx\shareName" command.

Everything works for me with what was described in the following link
(except I can't access network resource).
http://security.fnal.gov/cookbook/LocalSystem.html

 

[Pegasus \(MVP\)]

Does anyone know whether the system account NT AUTHORITY/SYSTEM is able to
access network resource like ordinary authenticated user?

According to my research it appears it should be able. I have tried it but
it always give me an "Access denied" error message. I simply try to do a
"dir
\\xxx.xx.xx.xx\shareName" command.

Everything works for me with what was described in the following link
(except I can't access network resource).
http://security.fnal.gov/cookbook/LocalSystem.html

No. The local System account cannot access any networked resources.
This is by design.

 

[jorgen]

Does anyone know whether the system account NT AUTHORITY/SYSTEM is able to
access network resource like ordinary authenticated user?

According to my research it appears it should be able. I have tried it but
it always give me an "Access denied" error message. I simply try to do a "dir
\\xxx.xx.xx.xx\shareName" command.

It is restricted to use a null session when connecting to a network. So
to get in, anonymous access must have been granted

 

[Guest]

<quote> The local System account cannot access any networked resources.
This is by design. </quote>

Is there are exceptions? When we define a share in machine1, I thought we
can if delete all users in the permission list but add a machine name
(domanName\machine2$) in the permission list, that would mean I allow this
share to be accessable by ANY users ( including a local system user ) as long
as the user sits on machine2.

 

[Pegasus \(MVP\)]

As I said, the System account has no access to shared resources.
If it had access then this would open a nice can of works, e.g.
issues with passwords and issues with accessing shares on
other computers for which you have no access privileges.

If you explain what you're actually trying to do then someone
may offer a solution that does not involve the System account.

 

[Guest]

No, we don't have any problem to do what we try to do via a scheduled task if
it is run under a normal user acccount.

Then someone suggests we should be able to do the same without a (Domain)
user account and he said he had seen some tasks running that access shared
resources without problem. I tried very hard for many hours but still
receiving the "access denied" message. That is why I ask here.

If there no ways we can specify a share that allows the scheduled task to
access network resource, our discussion (within IT team in our Company) is
over.

 

[Pegasus \(MVP\)]

If a domain account has access to a shared resource then
this domain account can be used either for console sessions
or for scheduled tasks. Test the account in the foreground
first, then use it under the Task Scheduler.

Note that accounts used by the Task Scheduler ***must***
have a non-blank password.

 

[Guest]

Sorry you must read my post wrongly when you place your last response, which
is not helpful at all. If we want to continue running a scheduled task under
a domain account, there wasn't any issues, no issues at all.

I want to ask if a scheduled task is running under the local system account
(NT AUTHORITY/SYSTEM), can it access network resource ? (such as
reading/writing a file in another computer). I know your previous answer was
negative. Do you know where is the MS reference article I can refer to, to
confirm this?

Initially I thought the access should present no problems. This is because
when we define the share permission of a folder, it is possible to select a
'computer' grant permission to that computer. This is entered with
"domainName\computerName$", after checking "computer" in object type. But I
find my test fails (it gives out 'access denied').

 

[Pegasus \(MVP\)]

See below.

Sorry you must read my post wrongly when you place your last response,
which
is not helpful at all. If we want to continue running a scheduled task
under
a domain account, there wasn't any issues, no issues at all.

*** Great.

I want to ask if a scheduled task is running under the local system
account
(NT AUTHORITY/SYSTEM), can it access network resource ? (such as
reading/writing a file in another computer). I know your previous answer
was
negative. Do you know where is the MS reference article I can refer to, to
confirm this?

*** No, I don't. I suggest you do some googling.

Initially I thought the access should present no problems. This is because
when we define the share permission of a folder, it is possible to select
a
'computer' grant permission to that computer. This is entered with
"domainName\computerName$", after checking "computer" in object type. But
I
find my test fails (it gives out 'access denied').

*** I'm not surprised. I can see these options for you:
a) Accept what experienced server/network administrators tell
you and use a domain account.
b) Spend the time and energy to get to the bottom of this issue
by drilling down into the MS Knowledge Base. This could be
a time-consuming exercise but it will give you a deep sense of
satisfaction when you find the authoritative answer you're
looking for. I bet that you will be directed back to Option a).

 

[Guest]

A plain answer like this is inspiring.

See below.



*** Great.


*** No, I don't. I suggest you do some googling.


*** I'm not surprised. I can see these options for you:
a) Accept what experienced server/network administrators tell
you and use a domain account.
b) Spend the time and energy to get to the bottom of this issue
by drilling down into the MS Knowledge Base. This could be
a time-consuming exercise but it will give you a deep sense of
satisfaction when you find the authoritative answer you're
looking for. I bet that you will be directed back to Option a).

 

[Pegasus \(MVP\)]

You might want to reflect about what you can expect in a
newsgroup from a total stranger who is willing to give some
of his time to help you. IMHO it is unreasonable to expect
a respondent to do your homework for you. Instead of your
sarcastic reply I would have expected something like "Thank
you for your help - I will now do my own research".

If you're serious about this question and if you're prepared
to pay for an answer then there is always "Google paid questions":
https://answers.google.com/answers/main?cmd=myquestions

 

[Guest]

Just create an account with admin rights for this purpose. The account does
not have to belong to anyone. The account would be used to run such task.

 

[Frank Wolf]

No. The local System account cannot access any networked resources.
This is by design.

Hi Pagasus,

sorry, but give back your MVP.
Completly wrong,
I had a test today, wehre i can access a share with the Loclal System Account!

Simply put the Machines Name from ADS into the local Admins Group and u may Access even the Admin Share$.

Mfg. Frank.