What permissions for NETWORK SERVICE account to read share on Win 2003 computer?

windows-server-2003 windows-xp network-share
5,578

Solution 1

Is there a reason it has to run as Network Service? For security purposes I would create a domain user account, run the service as the domain user, and assign the necessary permissions to the user.

Solution 2

DOMAIN\machinename$

The network service account appears as this when conencting/authenticating to other servers

I know this works because I have a web server app pool using network service that connects to a SQL Server with the dollar account.

Edit: have you ever tried to search google for "machinename$"... aarrgghh.

Solution 3

That does sound like it should work. I would try 1) Impersonate a normal domain user account for the network access instead of network service. This will check that your impersonation is working and is valid for network resources. 2) Change the share and NTFS permissions to explicitly grant access (probably start by granting full control) to the specific computer account that you are testing this on.

Give this a go and update your question with how you get on. Might give us a bit more of an idea about the problem.

If it starts to look like a problem with your call to LogonUser then you might get a better response on StackOverflow.

I have had odd problems in the past when trying to get computers to authenticate properly as network service. I normally work around the problem now by using a domain account that has been granted the exact permissions required for the task.

Share:
5,578

Related videos on Youtube

Ed Guiness
Author by

Ed Guiness

Author of Ace the Programming Interview I also run socialcoder.org, a volunteering site for programmers. @KiwiCoder on twitter

Updated on September 17, 2022

Comments

  • Ed Guiness
    Ed Guiness over 1 year

    I have an XP SP3 machine running a service (written by me) that runs as NT AUTHORITY\NETWORK SERVICE in order to access a network share. With filemon.exe I can see this service attempting to OPEN the network share but getting ACCESS DENIED.

    The network share is a folder on a Windows Server 2003 SP1 machine, and this folder has share permission = Everyone (read) and NTFS permission = Domain Computers (read + execute + list folder contents). It has no other permissions explicitly granted, but inherits default permissions from C:\. I have verified that the XP machine is a member of Domain Computers.

    On the machine sharing the folder I can see Successful Network Logon events from the XP machine.

    On the XP machine I see only ACCESS DENIED when my service tries OPEN specific files on that folder.

    It feels like I'm missing some vital step but I appear to have run out of SysAdmin clues.

  • Ed Guiness
    Ed Guiness almost 15 years
    In fact this service runs most of its life as LOCAL SYSTEM, in order to perform various admin tasks that the domain user should not be able to. It only impersonates NETWORK SERVICE (via LogonUser API) in order to access network share.
  • Ed Guiness
    Ed Guiness almost 15 years
    Helpful suggestions, thanks. Since Filemon.exe shows that the attempt is being made as NETWORK SERVICE I guess I'm safe assuming that LogonUser worked?
  • SpaceManSpiff
    SpaceManSpiff almost 15 years
    I prefer when services are each configured as their own accounts, allows you tigher control over the allow/deny access.
  • Ed Guiness
    Ed Guiness almost 15 years
    Sure, and I may go that way, but in the meantime I have this problem with NETWORK SERVICE... I'd like to understand that problem and hopefully the solution before moving on to something else.
  • pipTheGeek
    pipTheGeek almost 15 years
    It sounds like it. But I have learnt from lots of poking at web sites to try and figure out the missing link in a delegation chain not to make assumptions about what is / or is not working.
  • Ed Guiness
    Ed Guiness almost 15 years
    Indeed, and I've tried adding domain\machine$ to both share and NTFS permissions... but still ACCESS DENIED.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the purpose of shared folder in active directory?
How to tell what computer has a file open on a network share?
Removed Computer from domain, cannot log in to re-add computer. to domain
How can I allow a Limited User to change TCP/IP settings, while strictly maintaining the principle of least privilege?
"StickyKeys" popup whenever pressing Shift in Remote Desktop session to Server 2003 from Windows 7
How do I improve my screen resolution in Windows Remote Desktop?
How to know disk quota on network share in windows?
Recover deleted file on network drive not in recycle bin
How to password protect a folder in windows server 2003 over the network
Windows Server 2008 Share Not Accessible