Marshall
The computer account -- not System or some other account on the
computer --
isn't ever going to be accessing files (at least not in any examples I
can
think of).
In an AD environment, the computer account will indeed be used during
the startup process and will need appropriate permissions and rights
associated with it to read AD Objects like GPOs and scripts.
In some environments, the AD DNS dynamic name registration is also
performed using the SID associated with the Computer.
slawek
"Bruce K. Marshall" <bkmlstsgohere@comcast.net> 2/23/2005 14:23
Daniel,
The computer account -- not System or some other account on the
computer --
isn't ever going to be accessing files (at least not in any examples I
can
think of). And permissions won't be enforced just because a user or
service
account happens to be operating from that computer. So, setting using
a
computer security principal in NTFS ACLs won't have any effect.
If a service on the computer is trying to access the file then you
should be
able to set up NTFS ACLs using the appropriate account (System, Local
Service, Network Service, etc.).
----
Bruce K. Marshall - bmarshall@securityps.com
Security PS - Kansas City
----- Original Message -----
From: "Daniel Schmidt" <dschmidt@buddyrents.com>
To: <focus-ms@securityfocus.com>
Sent: Wednesday, February 23, 2005 9:32 AM
Subject: Computer accounts in NTFS permissions
It is my understanding that computer accounts can be used as
security
principals, but using them in a NTFS ACL seems to have no effect.
Does
computer account authentication only authorize accesses from the
SYSTEM
account? Can anyone point me toward some useful reading on the
subject?
Daniel Schmidt
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
