0

I've got a task running on AMACHINE under the SYSTEM account.

There's a shared directory on BMACHINE which is visible on AMACHINE and that shared directory allows r+w to a username ADOMAIN\AMACHINE$.

I believe that ADOMAIN\AMACHINE$ means any users on AMACHINE should be allowed r+w on the shared.

  1. Am I correct in believing that ?
  2. Is there something weird about the SYSTEM account which might means it's excluded from those permissions ?

I have read What does <domain name>\<computer name>$ mean? which was helpful but a bit too biased towards ASP.Net.

Community
  • 1
shearichard
  • 153
  • 1
  • 5
  • What I should have made it explicit it that I'm referring to a situation in which all machines are running Windows 2003 – shearichard Dec 20 '09 at 23:07

1 Answers1

1

The ADOMAIN\AMACHINE$ account is used to enable the local service accounts with the ability to carry out authenticated network access (System or the Network Service depending on Windows version) to access permission controlled resources on the network. They do this by presenting themselves using the machine account name ie ADOMAIN\AMACHINE$ in your case.

This means that a service running in one of those contexts can access the shared resource which has had explicitly granted permission(s) to the machine account. This does not mean that any other local user accounts on AMACHINE can access the share. Note that the local service account is different - it can only access network resources via a null session (unauthenticated access).

There is inaccurate and misleading information on this in various places but this MSDN article about SQL service accounts explains this correctly.

Helvick
  • 19,579
  • 4
  • 37
  • 55
  • You might also look into allowing constrained delegation to allow the machine accoutn to present alternate credentials although I'm not sure off the top of my head if that would help in a non domain environment – Jim B Dec 21 '09 at 05:31