0

I would like to have a local folder on all of my domain connected computers kept in sync with a share on one of my servers.

Only Domain Admins and the SYSTEM account should have Modify permissions to the local folder and the share, everyone else should have Read/Execute.

Any suggestions are welcome.

My first thought was to use a GPO to create the local folder, set it’s permissions and create a scheduled task to run RoboCopy.

Getting RoboCopy to run with the right permissions seems to be the trick. I believe it would need to run as the local system account (so that someone being logged in is not necessary), but it also needs to use the computer account for network access.

Which account would I use when creating the Scheduled Task?

Should this work?

Is there a better way?

Corey
  • 1,943
  • 12
  • 38
  • 53

1 Answers1

0

I would use the NETWORK SERVICE identity. This would require granting read access to the share to Authenticated Users or Domain Computers. Domain Computers may be preferable, due to the possibility that users may access the share directly and lock a file.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • So I tried using NETWORK SERVICE, but I get the following error... The computer 'CB-Utility-Sync' preference item in the 'CB-Utility Sync Folder {3CE3D239-B40A-4913-9B58-349F539496BF}' Group Policy Object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.' This error was suppressed. – Corey Oct 28 '19 at 14:52
  • But the NTFS permissions were the issue, after I added "Domain Computers", I was able to run the Task using the SYSTEM account. Thanks – Corey Oct 28 '19 at 14:53