Re: Computer accounts in NTFS permissions

From: Bruce K. Marshall (bkmlstsgohere_at_comcast.net)
Date: 02/23/05

  • Next message: Miroslaw Slawek Chorazy: "Re: Com+ permissions" 
    To: "Daniel Schmidt" <dschmidt@buddyrents.com>
Date: Wed, 23 Feb 2005 14:23:41 -0600

    Daniel,

    The computer account -- not System or some other account on the computer --
    isn't ever going to be accessing files (at least not in any examples I can
    think of). And permissions won't be enforced just because a user or service
    account happens to be operating from that computer. So, setting using a
    computer security principal in NTFS ACLs won't have any effect.

    If a service on the computer is trying to access the file then you should be
    able to set up NTFS ACLs using the appropriate account (System, Local
    Service, Network Service, etc.). 

    ----
Bruce K. Marshall - bmarshall@securityps.com
Security PS - Kansas City
----- Original Message ----- 
From: "Daniel Schmidt" <dschmidt@buddyrents.com>
To: <focus-ms@securityfocus.com>
Sent: Wednesday, February 23, 2005 9:32 AM
Subject: Computer accounts in NTFS permissions
> It is my understanding that computer accounts can be used as security
> principals, but using them in a NTFS ACL seems to have no effect.  Does
> computer account authentication only authorize accesses from the SYSTEM
> account?  Can anyone point me toward some useful reading on the subject?
>
> Daniel Schmidt 
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Miroslaw Slawek Chorazy: "Re: Com+ permissions"

    Relevant Pages

    • RE: Computer accounts in NTFS permissions
      ... Security filtering in Group Policy for computer policies works using ... LocalSystem) goes and talks to the domain controller, ... Computer accounts in NTFS permissions ... computer security principal in NTFS ACLs won't have any effect. ...
      (Focus-Microsoft)
    • Re: join domain/create computer accounts... driving me NUTS!
      ... the RIGHT way to do this is to simply give "create/delete computer object" ... Then give full control permissions to ... > one group that pre-creates computer accounts in the correct OU ... > one group that pre-creates computer accounts in the correct OU and joins ...
      (microsoft.public.windows.server.active_directory)
    • Re: restrict delegated admins to create computer accounts in AD
      ... If you wish these people a maximum number of machines to be added, ... no more than 50 computer accounts with DACL settings allowed??? ... "ptwilliams" wrote:> The way to do this is to create security groups and give> those groups an advanced write permissionto the OUs they represent, ... > The exact permissions required are:> -- Create Computer Objects ...
      (microsoft.public.windows.server.active_directory)
    • Re: Deploying Software with Computer GPO Errors
      ... Computers to both the share and folder permissions as well as the individual ... computer accounts for the two PC's I am testing. ... the package set to advanced. ... >> Now If I do the samer thing via a User Install it seems to work fine. ...
      (microsoft.public.win2000.active_directory)
    • Re: restrict delegated admins to create computer accounts in AD
      ... The way to do this is to create security groups and give ... appropriate local groups will be able to prestage computer accounts in their ... -- Create Computer Objects ... To access these permissions, use the advanced DACL editor on the OU you wish ...
      (microsoft.public.windows.server.active_directory)