SYSTEM is a special group/user in Windows. Keep in mind that the displayed name of users and groups is for the convenience of the administrator. Windows actually uses the SID when monkeying with these entities. The SYSTEM account has the same SID on all systems. Check KB article Q243330 as a starting point. There are also some good white-papers available in TechNet that discuss this stuff.
Back to Devin's issue, the method described will only affect permissions to the GPO and only for domain controllers. From the description it appears that NTFS permissions were set using group policies. The appropriate GPOs should be adjusted to include giving SYSTEM Full Control on the appropriate computers. But I think Alexander's suggestion about having an account for doing the scanner and giving that account the appropriate permissions is correct. Even though you give the account FC permission it gives you an audit trail that may be needed later. Depending on the software it may not be possible and I have no experience with Inoculan. Caveat is that I haven't actually done anything like this so I'm strictly speculating here and YMMV. If you can try to work out the details in a test lab using a trashable domain. > -----Original Message----- > From: Alexander Kha Do [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 25, 2002 4:10 PM > To: NT 2000 Discussions > Subject: RE: GPO for file system access? > > > Actually, I've been curious myself about SYSTEM on the domain level, > because it is a group at the domain level... > Is the SYSTEM group just a collection of every valid domain > workstation? > > It seems like if so, you wouldn't really want to bother with that GPO > setting... Where will you run this software from?? If you have a > dedicated scanning server, you could maybe create an account for that > machine and give permissions to those folders to that one account?? > > -----Original Message----- > From: Meade, Devin [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 25, 2002 12:49 PM > To: NT 2000 Discussions > Subject: GPO for file system access? > > > Group, > > Long story short - New W2K native mode active directory domain. > All default NTFS and share rights removed and rights issued via domain > local > and domain global groups (M$ recommended way). Users are in global > groups. > Resources (file system) rights issued to in local groups. > Global groups > are > member of the local groups. > > Now, we want to get eTrust Inoculan 6.0 to work - it seems that SYSTEM > must > have FULL CONTROL to any files - or nothing will be detected. > > I can issue file system rights to each of our shares, this will take a > while > as we have some funky rights going on. > > I looked at ADUC / Domain Controllers / Properties / Group Policy / > Properties / Security - > I changed SYSTEM from read, write, create all child and > delete all child > to > Full control and apply group policy (all). > > Methinks this is for Active Directory objects and not file system > objects. > > Is there a faster (easier) way to assign SYSTEM the FULL > CONTROL rights > on > all NTFS shares? > > TIA > Devin L. Meade, CNE, MCP > Network Adminstrator > Frankfurt-Short-Bruza > www.fsb-ae.com <http://www.fsb-ae.com> > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to [EMAIL PROTECTED] > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to [EMAIL PROTECTED] > ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
