Network Shares for computer account (System Processes)

You can grant access to a share/folder using a computer account (or a Global Security Group containing the computer accounts you wish to have access)

as a batch file:

Net Share SharedFolderName=C:\FolderName /grant:”DOMAIN\COMPUTERACCOUNT$”,CHANGE

echo y | cacls c:\SharedFolderName /c /g “DOMAIN\COMPUTERACCOUNT$”:C

The $ suffix indicaties this is a computer account.

This would give Change access to any process/service that COMPUTERACCOUNT runs as SYSTEM, but would not give any access to processes created by users logged onto COMPUTERACCOUNT.

I’ve not tested this, but when I installed an instance of SQL Server ’08r2 I chose to run it all as system processes.. My thought is the network share above would allow me to have the database on the share (with rights granted via the sql svr’s system process) without needing to grant access to any particular users to the share and only accessible from specified PCs.  I take it as well that this method is probably breaking a few security rules..

Advertisements