Accessing files across a network using the SYSTEM account

1

I'm not sure if I am asking this in the right spot or not, sorry if I am wrong.

I would like to know please, SCCM is currently operational in our school, and we use it to install software across our network.

I have a piece of software that requires a different channel for each room or staff laptop that it is installed in.

I have managed to set up a powershell script that polls a csv for the channel that should be assigned to each room, and when the script it run, it pulls that channel and installs the software with that channel assigned.

What I am having trouble with now, is that SCCM installs the software using the local system account, and the csv is located on a network share. When the System account goes to poll the csv file it gets an access denied error, even though System has full control of the csv and directory that the csv is located in.

Is it just me not understanding the permissions that System has, or can System not interact with other devices over the network, I assumed that being system on both devices, it would be able to cross to another device and impersonate system on that device.

Is there a way around this?

Thanks for any feedback.

Random206

Posted 2014-09-03T23:57:13.113

Reputation: 21

Just out of curiousity... LanSchool? – Patrick Seymour – 2014-09-04T00:35:22.100

Yes Patrick, correct, haha, good guess, are you having issues also? – Random206 – 2014-09-04T00:45:11.790

No, but we use it in a VDI environment, not on real computers. – Patrick Seymour – 2014-09-06T13:42:20.783

Answers

1

LocalSystem account

  • Name: .\LocalSystem (can also use LocalSystem or ComputerName\LocalSystem)
  • the account has no password (any password information you provide is ignored)
  • HKCU represents the default user (LocalSystem has no profile of its own)
  • has extensive privileges on the local computer
  • presents the computer's credentials to remote servers

Completely trusted account, moreso than the administrator account. There is nothing on a single box that this account can not do and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something).

Source/More info at this StackOverflow answer: https://stackoverflow.com/a/510225/225906

Ƭᴇcʜιᴇ007

Posted 2014-09-03T23:57:13.113

Reputation: 103 763

So if I were to add 'everyone' with read/write permissions to the particular files, I would be able to access it using the System Account? – Random206 – 2014-09-04T00:31:40.303

Don't do that :) – Jon Kloske – 2014-09-04T02:00:09.537

No it's OK I have added Domain Computers to the permissions list, and assigned that Read/Write permissions. – Random206 – 2014-09-04T02:32:09.723

1

By adding 'Domain Computers' to the files permissions list, I am able to allow the System Account to access the file, and use the permissions assigned to Domain Computers.

Random206

Posted 2014-09-03T23:57:13.113

Reputation: 21

0

@Techie007 is is correct. What you want to do to get this to work is create a domain account that has permission to just read that network share, and then use something like "net use \server\share /user:domain\user password" to map to that share as that user with permissions. Just make sure the user isn't a member of domain users or doesn't have log on rights or something to prevent that fairly well known credentials then being used for anything.

Jon Kloske

Posted 2014-09-03T23:57:13.113

Reputation: 552

Or a local account on each computer, though that's more management and harder to repudiate if there's a security problem. – Jon Kloske – 2014-09-04T02:05:08.300

Asked: 2014-09-03T23:57:13.113

Viewed: 12 140 times

Active: 2017-07-08T01:54:22.250