none
Can Local System account execute files from network drive letter? RRS feed

  • Question

  • Hello,

    During my OS deployment process there's two scripts executed sequentially:

    1. First scripts executes net use V: \\server\sharename user:domain\account password

    2. Local System account executes setup.exe from V:\path to folder containing .exe file

    When these scripts are executed, there's no user logon session. Computer sits in Windows logon screen and there's deployment agent running these two scripts.

    My question is, can Local System account execute file from network drive letter (in this case drive V) if it has been first mapped with domain credentials? In my tests, it looks like it can, but I have always believed that Local System cannot access any files from network locations. When network folder has been mapped to drive letter, does it make it "local" resource from System accounts point of view? I can't figure out other explanation.

    I hope everyone understood my question. Please assist.

    • Edited by weedee Thursday, September 30, 2010 7:22 AM -
    Thursday, September 30, 2010 7:19 AM

Answers

  • My question is, can Local System account execute file from network drive letter (in this case drive V) if it has been first mapped with domain credentials? In my tests, it looks like it can, but I have always believed that Local System cannot access any files from network locations. When network folder has been mapped to drive letter, does it make it "local" resource from System accounts point of view? I can't figure out other explanation.

    Hi,

    Local System can access any files from network location only because ever (or very often) ACL on network shares grant to Everyone right to "read and execute". If you change those ACL with more rectricted ACL removing Everyone in permissions list, Local System won't access to that resource. Mapping a network drive can't modify shared folder in local folder. You can do a simple test.

    HTH


    Edoardo Benussi - Microsoft® MVP
    Management Infrastructure - Systems Administration
    https://mvp.support.microsoft.com/Profile/Benussi
    Windows Server Italian Forum Moderator
    edo[at]mvps[dot]org
    • Proposed as answer by Edoardo BenussiMVP Thursday, September 30, 2010 1:02 PM
    • Marked as answer by weedee Friday, October 1, 2010 6:02 AM
    Thursday, September 30, 2010 1:01 PM

All replies

  • My question is, can Local System account execute file from network drive letter (in this case drive V) if it has been first mapped with domain credentials? In my tests, it looks like it can, but I have always believed that Local System cannot access any files from network locations. When network folder has been mapped to drive letter, does it make it "local" resource from System accounts point of view? I can't figure out other explanation.

    Hi,

    Local System can access any files from network location only because ever (or very often) ACL on network shares grant to Everyone right to "read and execute". If you change those ACL with more rectricted ACL removing Everyone in permissions list, Local System won't access to that resource. Mapping a network drive can't modify shared folder in local folder. You can do a simple test.

    HTH


    Edoardo Benussi - Microsoft® MVP
    Management Infrastructure - Systems Administration
    https://mvp.support.microsoft.com/Profile/Benussi
    Windows Server Italian Forum Moderator
    edo[at]mvps[dot]org
    • Proposed as answer by Edoardo BenussiMVP Thursday, September 30, 2010 1:02 PM
    • Marked as answer by weedee Friday, October 1, 2010 6:02 AM
    Thursday, September 30, 2010 1:01 PM
  • Thank you Edoardo very much for clarifying this for me.

    I did a test and it's just like you said. If I want to access shared network folder with Local System account, Everyone group must have at least Read Sharing permissions on that folder.

    Friday, October 1, 2010 6:08 AM