| Author |
Message |
Tommy Gilchrist
Guest
|
 Posted:
Thu Nov 04, 2004 3:34 am Post subject:
How does Local System Account bypass file permissions during |
|
|
Folks
I wonder could you shed some light on a problem we're having.
The nature of the problem is very odd in that I'm arguing with a
backup vendor who shall remain nameless over a feature that I need,
that any backup software should be able to do, that their software
seems to be capable of doing but (and this is the odd bit) they claim
their software CAN'T do!
The backup agent runs under the local system account and the vendor is
claiming that this means that all files must have "SYSTEM" granted
read access in order to guarantee a successful backup. Given that
there are about 100 file servers hosting millions of files in the
enviroment and multiple people have access to change permissions this
obviously can't be guaranteed.
However I can create files, give them very restricted permissions,
even remove all permissions and the backup program can back them up
successfully. I've tested this on Windows NT 4.0, 2000 and 2003.
What may help move the discussion forward is an understanding of how
the local system account accesses files. I understand that members of
the Backup Operators group and the Administrators group get the "Back
up files and folders" permission which will permit this. However the
SYSTEM account isn't a member of either group by default.
Is the SYSTEM account the same as the Local System Account services
run under. Does the Local System Account have these permissions
automatically or is this not relevant at all and am I barking up the
wrong tree?
thanks
tommy |
|
| Back to top |
|
 |
Pegasus (MVP)
Guest
|
| Posted:
Thu Nov 04, 2004 4:13 am Post subject:
Re: How does Local System Account bypass file permissions du |
|
|
"Tommy Gilchrist" <tommy@delete.gilchristcs.the.com.needful> wrote in
message news:1imio0524tuobb6i56b6amrvvlib5ce48p@4ax.com...
| Quote: | Folks
I wonder could you shed some light on a problem we're having.
The nature of the problem is very odd in that I'm arguing with a
backup vendor who shall remain nameless over a feature that I need,
that any backup software should be able to do, that their software
seems to be capable of doing but (and this is the odd bit) they claim
their software CAN'T do!
The backup agent runs under the local system account and the vendor is
claiming that this means that all files must have "SYSTEM" granted
read access in order to guarantee a successful backup. Given that
there are about 100 file servers hosting millions of files in the
enviroment and multiple people have access to change permissions this
obviously can't be guaranteed.
However I can create files, give them very restricted permissions,
even remove all permissions and the backup program can back them up
successfully. I've tested this on Windows NT 4.0, 2000 and 2003.
What may help move the discussion forward is an understanding of how
the local system account accesses files. I understand that members of
the Backup Operators group and the Administrators group get the "Back
up files and folders" permission which will permit this. However the
SYSTEM account isn't a member of either group by default.
Is the SYSTEM account the same as the Local System Account services
run under. Does the Local System Account have these permissions
automatically or is this not relevant at all and am I barking up the
wrong tree?
thanks
tommy
|
The SYSTEM account has implicit access permissions to all local
files and folders (but not to networked resources). This is independent
of any NTFS permissions that you might set. |
|
| Back to top |
|
|
Tommy Gilchrist
Guest
|
| Posted:
Thu Nov 04, 2004 1:55 pm Post subject:
Re: How does Local System Account bypass file permissions du |
|
|
On Thu, 4 Nov 2004 10:13:19 +1100, "Pegasus \(MVP\)" <I.can@fly.com>
wrote:
| Quote: |
"Tommy Gilchrist" <tommy@delete.gilchristcs.the.com.needful> wrote in
message news:1imio0524tuobb6i56b6amrvvlib5ce48p@4ax.com...
Folks
I wonder could you shed some light on a problem we're having.
The nature of the problem is very odd in that I'm arguing with a
backup vendor who shall remain nameless over a feature that I need,
that any backup software should be able to do, that their software
seems to be capable of doing but (and this is the odd bit) they claim
their software CAN'T do!
The backup agent runs under the local system account and the vendor is
claiming that this means that all files must have "SYSTEM" granted
read access in order to guarantee a successful backup. Given that
there are about 100 file servers hosting millions of files in the
enviroment and multiple people have access to change permissions this
obviously can't be guaranteed.
However I can create files, give them very restricted permissions,
even remove all permissions and the backup program can back them up
successfully. I've tested this on Windows NT 4.0, 2000 and 2003.
What may help move the discussion forward is an understanding of how
the local system account accesses files. I understand that members of
the Backup Operators group and the Administrators group get the "Back
up files and folders" permission which will permit this. However the
SYSTEM account isn't a member of either group by default.
Is the SYSTEM account the same as the Local System Account services
run under. Does the Local System Account have these permissions
automatically or is this not relevant at all and am I barking up the
wrong tree?
thanks
tommy
The SYSTEM account has implicit access permissions to all local
files and folders (but not to networked resources). This is independent
of any NTFS permissions that you might set.
Thanks for this. I suspected it was something of this nature. |
Do you know if this is documented anywhere, preferably on one of
Microsoft's sites?
tommy |
|
| Back to top |
|
|
Marco
Guest
|
| Posted:
Thu Nov 04, 2004 6:58 pm Post subject:
Re: How does Local System Account bypass file permissions du |
|
|
1st line says it all:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/the_localsystem_account.asp
cheers,
Marco
--
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----
"Tommy Gilchrist" <tommy@delete.gilchristcs.the.com.needful> wrote in
message news:bhrjo01ghsvq1b7fvf47nn4p33hucucgbh@4ax.com...
| Quote: | On Thu, 4 Nov 2004 10:13:19 +1100, "Pegasus \(MVP\)" <I.can@fly.com
wrote:
"Tommy Gilchrist" <tommy@delete.gilchristcs.the.com.needful> wrote in
message news:1imio0524tuobb6i56b6amrvvlib5ce48p@4ax.com...
Folks
I wonder could you shed some light on a problem we're having.
The nature of the problem is very odd in that I'm arguing with a
backup vendor who shall remain nameless over a feature that I need,
that any backup software should be able to do, that their software
seems to be capable of doing but (and this is the odd bit) they claim
their software CAN'T do!
The backup agent runs under the local system account and the vendor is
claiming that this means that all files must have "SYSTEM" granted
read access in order to guarantee a successful backup. Given that
there are about 100 file servers hosting millions of files in the
enviroment and multiple people have access to change permissions this
obviously can't be guaranteed.
However I can create files, give them very restricted permissions,
even remove all permissions and the backup program can back them up
successfully. I've tested this on Windows NT 4.0, 2000 and 2003.
What may help move the discussion forward is an understanding of how
the local system account accesses files. I understand that members of
the Backup Operators group and the Administrators group get the "Back
up files and folders" permission which will permit this. However the
SYSTEM account isn't a member of either group by default.
Is the SYSTEM account the same as the Local System Account services
run under. Does the Local System Account have these permissions
automatically or is this not relevant at all and am I barking up the
wrong tree?
thanks
tommy
The SYSTEM account has implicit access permissions to all local
files and folders (but not to networked resources). This is independent
of any NTFS permissions that you might set.
Thanks for this. I suspected it was something of this nature.
Do you know if this is documented anywhere, preferably on one of
Microsoft's sites?
tommy |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in