2

I am running a Dotnet 3.5 executable in Windows 7 Ent, as a GPO computer startup script in a domain. The script resides on a network share. The exe is run as Local System. The exe runs correctly.

I would like to access a web Service in this exe, but it appears that the Local System does not have access to network resources per documentation. However if the same exe is copied to the C Drive and run from there under the same account and same conditions (i.e. GPO startup script) then the Web Service can be accessed.

How is it that the Local System has access to the web service when running from C: drive, but not from the Network Share? Is there anything that can be done to make it work from the network share, without first being copied to the local drive? is Local System same as SYSTEM and same as NTAuthority\system?

I have tried the following so far to make it work. None of these work:

  1. Impersonate a domain user in code.
  2. Give Full Trust to all zones in .Net Security Configuration
  3. Add the network share to Trusted Sites in IE.
  4. Use the netbios name instead of the fully qualified name of the fileserver, i.e. \server\share, rather than \server.domain.com\share

The following things I cannot do to fix this problem:

  1. Change the logon account of the Group Policy Client service to a domain user
  2. Run the exe as logon script. It has to be startup script.

To reproduce this problem I do the following:

  1. Create an simple exe with some network function, i.e. WebClient.DownloadString("http://www.google.com")
  2. Deploy exe to a network share
  3. Run as normal user to show there is no error
  4. Run whoami to show the current user
  5. run psexec -s -i cmd.exe
  6. Cmd will start as SYSTEM (Local System or NT Authority\System)
  7. Run whoami to show the current user
  8. Run exe from network share to show it will fail to download the page.
  9. Copy the exe to C Drive.
  10. Run exe to show the page is downloaded.
Ken White
  • 123,280
  • 14
  • 225
  • 444
asuboy75
  • 21
  • 3
  • http://stackoverflow.com/q/249928/62576 – Ken White Jun 22 '15 at 20:46
  • Ken White, the above problem is different. I don't have a problem accessing the network share. My exe already resides on a share and runs without any problem. I have granted DOMAINNAME\COMPUTERNAME$ proper permission. The problem is that when running from network share the exe cannot connect to the internet under the context of Local System. But it can if the same exe is run from the C: Drive. I cannot change the Log On account of the Group Policy Client Service which is what launches this exe. – asuboy75 Jun 22 '15 at 21:01
  • 1
    I solved this problem. The problem was that I need to give read and execute permissions to all the parent folders in the path on the network share where the exe resided. For example if the exe was located at \\server\share\folder1\folder2\folder3\abc.exe, then I need to grant read and execute permission to all of these: – asuboy75 Feb 17 '17 at 19:01

0 Answers0