|
Posted by Roger Abell [MVP] on March 16, 2007, 11:54 am
Please log in for more thread options >>> Is the NETWORK SERVICE account an implied member of the Users group? A
>>> Microsoft support rep is telling me it is, but I have plenty of cases
>>> here
>>> where I am not able to give that account access to a resource with
>>> Users,
>>
>> strange as its token has builtin\Users in it
>
>
> Under Windows 2003, Users group normally has INTERACTIVE and Authenticated
> Users inside of it. I normally remove Authenticated Users from Users and
> add it back selectively to resources that need it.
>
Similarly here, except remove both, rarely add back either . . .
> That may explain the Microsoft rep thinking that NETWORK SERVICE was in
> Users? Maybe its membership is indirect via Authenticated Users?
>
At first I was thinking along those lined, but it is not so.
Network Server, at least whereever I have peeks as result of your post,
is _directly_ a member in the local Users group. So, it is not a case as
with Local System where Users membership is only due to Authenticated
Users (which they both have in their tokens) or INTERACTIVE if that is
in play.
> And it would explain my SACL failures from NETWORK SERVICE, since I remove
> NETWORK SERVICE from Users by removing Authenticated Users from Users.
The one thing that may explain is understanding at what point in your
processes
the access denial occurs. Network Service "transitions" to being machine$
when
it is accessing resources that are off-box. This machine$ is usually the
domain
identity of Local System. Local System is _not_ directly in Users. So, is
the
eventing you are seeing resultant from some off-box activity ?? as I could
see
why MS may have let for example the on-box mashalling due to off-box
activity
happen in context used for off-box - as it would avoid a lot of overhead
needed
for the context switching and passing of the marshalled to the on-box
context.
Roger
>
| 
XML Sitemap