|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
LocalSystem network access problemI have a C# Service running as localSystem, and that service needs to access
a network share on another computer. When attempting to access the share, my service gets an "Access denied" error even though the security settings on the share should allow access. (Everyone: Read) If I run my service under the NetworkService account, access is granted. According to the service account documentation, both the localSystem and the NetworkService account "acts as the computer on the network", but obvioulsy there are some differences. I need the elevated privioleges of the localSystem account for my service, how can I access the network share while running under this account? Have you considered running the service under a domain user account that has
the required permissions on the local machine as well as adequate access to the remote share? Show quoteHide quote "Scewbedew" <Scewbe***@discussions.microsoft.com> wrote in message news:7F9A5174-3ED6-4F55-8B37-E72D6F2A849E@microsoft.com... >I have a C# Service running as localSystem, and that service needs to >access > a network share on another computer. When attempting to access the share, > my > service gets an "Access denied" error even though the security settings on > the share should allow access. (Everyone: Read) > > If I run my service under the NetworkService account, access is granted. > > According to the service account documentation, both the localSystem and > the > NetworkService account "acts as the computer on the network", but > obvioulsy > there are some differences. > > I need the elevated privioleges of the localSystem account for my service, > how can I access the network share while running under this account? > Yes, I have considered that, but I'd rather avoid having a domain account
with administrative rights on all systems in the domain. I can add that I have access to the calling user security token as well as the SYSTEM security token and I can impersonate the calling user in my service. This way I can impersonate the user while doing the network access, but unfortunately this isn't enough. I need local administrative rights while doing the network access (as user). I found an API (CreateProcessWithLogonW) that potentially could have solved my problem if it had been available on Windows XP. Can I in some way add the group SID for the local Administrators group to the user security token I have? I don't want to put the user in that group, just temporarily add that group SID to the user token in that process. That way, I could access the network while impersonating the user and still have administrative rights locally. Show quoteHide quote "Nicole Calinoiu" wrote: > Have you considered running the service under a domain user account that has > the required permissions on the local machine as well as adequate access to > the remote share? > 
Other interesting topics
Winform: Call a vbscript with elevated privileges
FullTrust on network drive Why am I getting errors when I want to rebuild the TreeView contro Login error when opening a deployed project Forms Authentication with Active Directory, login control crashes User creation.... Impersonation testing Security Exception Is there a function that I can call to validate a domain? IE C# ActiveX without permissons |
|||||||||||||||||||||||
