Computer account (SYSTEM) across the network

Question

I have an interesting problem... I need the local SYSTEM account on one server to access a specific network share on another server. Due to other reasons I can't use a regular domain account for the time being.

Using "psexec -s" I have played around with connecting to network shares under the local SYSTEM account with "net use". Since I am in a domain, I can simply add the DOMAIN\COMPUTER$ account to the share and NTFS permissions.

That seems to work fine everywhere except for one server. If I add "Everyone" to the share and NTFS, then that one server can connect. I noticed in the NTFS permissions (Security tab) that all the other servers I add have a computer icon on the left. This one server has a user icon. When adding the account I specifically said to only search for computers in the domain. And if I don't select computers, it never finds the account.

Basically, it seems the server account in the domain is different/corrupt in some way. Has anyone come across this? I would try re-adding the server, but it's critical and needs to be up as much as possible. I'm hoping there is a solution within Active Directory or something...

score 1 · Answer 1 · answered Jan 10 '10 at 16:09

1

As a general rule you are better off using the "Authenticated Users" group instead of the "Everyone" group. Functionally, they are nearly identical in most practical ways and slightly more secure.

answered Jan 10 '10 at 16:09

Goyuix

3,164
5
28
37

1

Yes, I agree. Since XP/2003 "Everyone" is even closer (no unauthenticated accounts), but still a few differences. – Nelson Rothermel Jan 11 '10 at 13:46

score 0 · Answer 2 · answered Jan 07 '10 at 21:40

0

It does sound to me like something is screwy with that account. Why not remove the server from the domain, delete the account and rejoin it?

answered Jan 07 '10 at 21:40

John Gardeniers

27,262
12
53
108

score 0 · Answer 3 · answered Jan 07 '10 at 21:45

0

I agreee something is very off about that account. The only thing I can suggestion (and this is way out of left field) without removing the machine from AD and rejoining is to try resetting the account password, maybe you'll get lucky Technet linky

answered Jan 07 '10 at 21:45

Zypher

36,995
5
52
95

score 0 · Accepted Answer · answered Jan 10 '10 at 16:05

Apparently the icon was insignificant. I tried to show someone else and then the icon appeared correctly. I clicked OK, opened the permissions back up and the icon was back to the user icon. The server is not fully patched, so maybe there's an update for this. Either way, that wasn't the problem.

What it actually was... There was a batch file running as SYSTEM from time to time. It was doing a "net use \server1\share1 /user:domain\account /password ***" and never deleted the connection. So when I was running the command prompt as SYSTEM and trying to connect to \server1\share2 (without specifying credentials), it was actually using the cached domain\account. I had checked the Security Event Log, but never saw that domain account (the server may not be auditing everything...) Once I fix another problem I should be able to use domain accounts and prevent all this from happening.

Anyway, thanks for trying to help.

Computer account (SYSTEM) across the network

4 Answers4