Hmmm... we have remedied issues wherein processes running in the context of LocalService need to dump files on to the network, and adding the machine account to the share perms solved it.
Interestinger and interestinger... -sc > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Monday, June 22, 2009 4:34 PM > To: NT System Admin Issues > Subject: Re: I should know this, but I don't.... > > On Mon, Jun 22, 2009 at 3:50 PM, David Lum <[email protected]> wrote: > > If I add a machine to a group (say, my SMS server as a local admin to > my desktop), > > what am I exactly enabling? > > It means the NT machine account is now a member of that group. > Nothing more, nothing less. > > Machine accounts are just user accounts, as far as the NT security > model is concerned. If the machine is "FOO" and your domain is > "NWEA", then the NT machine account is "NEWA\FOO$". The dollar sign > means it is hidden. > > Computer startup and shutdown scripts run in the context of the > machine account when it comes to accessing network resources. That's > the major practical application that I'm aware of. > > > Accounts logged in as "Local Service" to interact with my machine? > > Nope, that would be "FOO\LocalService", a different account and a > different security authority. LocalService isn't supposed to have > access to any network resources. > > Now, theoretically, it may be that LocalService has sufficient > privileges to hijack the machine account and impersonate it. > Anything's possible with root access. > > > Does it mean anyone logged onto that machine would have > > local admin rights to my PC? > > Definitely not! The NT machine account has nothing to do with the > logged on user. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
