Answered by:
Can Local System account execute files from network drive letter?

Question
-
Hello,
During my OS deployment process there's two scripts executed sequentially:
1. First scripts executes net use V: \\server\sharename user:domain\account password
2. Local System account executes setup.exe from V:\path to folder containing .exe file
When these scripts are executed, there's no user logon session. Computer sits in Windows logon screen and there's deployment agent running these two scripts.
My question is, can Local System account execute file from network drive letter (in this case drive V) if it has been first mapped with domain credentials? In my tests, it looks like it can, but I have always believed that Local System cannot access any files from network locations. When network folder has been mapped to drive letter, does it make it "local" resource from System accounts point of view? I can't figure out other explanation.
I hope everyone understood my question. Please assist.
- Edited by weedee Thursday, September 30, 2010 7:22 AM -
Answers
-
My question is, can Local System account execute file from network drive letter (in this case drive V) if it has been first mapped with domain credentials? In my tests, it looks like it can, but I have always believed that Local System cannot access any files from network locations. When network folder has been mapped to drive letter, does it make it "local" resource from System accounts point of view? I can't figure out other explanation.
Hi,
Local System can access any files from network location only because ever (or very often) ACL on network shares grant to Everyone right to "read and execute". If you change those ACL with more rectricted ACL removing Everyone in permissions list, Local System won't access to that resource. Mapping a network drive can't modify shared folder in local folder. You can do a simple test.
HTH
Edoardo Benussi - Microsoft® MVP
Management Infrastructure - Systems Administration
https://mvp.support.microsoft.com/Profile/Benussi
Windows Server Italian Forum Moderator
edo[at]mvps[dot]org- Proposed as answer by Edoardo BenussiMVP Thursday, September 30, 2010 1:02 PM
- Marked as answer by weedee Friday, October 1, 2010 6:02 AM
All replies
-
My question is, can Local System account execute file from network drive letter (in this case drive V) if it has been first mapped with domain credentials? In my tests, it looks like it can, but I have always believed that Local System cannot access any files from network locations. When network folder has been mapped to drive letter, does it make it "local" resource from System accounts point of view? I can't figure out other explanation.
Hi,
Local System can access any files from network location only because ever (or very often) ACL on network shares grant to Everyone right to "read and execute". If you change those ACL with more rectricted ACL removing Everyone in permissions list, Local System won't access to that resource. Mapping a network drive can't modify shared folder in local folder. You can do a simple test.
HTH
Edoardo Benussi - Microsoft® MVP
Management Infrastructure - Systems Administration
https://mvp.support.microsoft.com/Profile/Benussi
Windows Server Italian Forum Moderator
edo[at]mvps[dot]org- Proposed as answer by Edoardo BenussiMVP Thursday, September 30, 2010 1:02 PM
- Marked as answer by weedee Friday, October 1, 2010 6:02 AM
-