Ooops, the thread Confused over file access was marked as answered though I am still confused. Gunner999 wrote: >>That is if we have code running on the workstation under NETWORK SERVICE and I want that code to open/read/write the file on >>\\TESTSERVER\Folder >>How do I "tell" Server 2008 R2 on the test server that I want to add permission for the NETWORK SERVICE that runs on the workstation? NETWORK SERIVCE is a well known security object. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and acts as the computer on the network (Computername$) I could not understand: Is not it "NT Authority\Network Service" account the one which does not belong to any specific ow - machine workgroup or domain? And which are well-known accounts recognized by the security subsystem? Security subsystem of what? Where to read on it? Gunner999 wrote: "Assuming a DOMAIN is in place, you can add the domain computer account (Computername$) to the Share and NTFS permissions "As an alternative, you can have the service run under a domain user account (domain\user), and permission that account to the share and NTFS permissions. As an alternative, you can have the service run under a domain user account (domain\user), and permission that account to the share and NTFS permissions. >>these machines are setup as a workgroup incidentally. Without a domain, its still possible to give access but it is just that much more difficult. 1) you must run the service under a user account. 2) That same user account must be created on every computer in the workgroup / that needs this permission" While adding "Network Service" account to NTFS permission, one can see that it does not belong to any specific machine or domain, as well as many other well-known accounts like - ANONYMOUS LOGON - Everyone - LOCAL SERVICE - NETWORK - SYSTEM - and many others Aren't they "the same" accounts independently on domain, machine or workgroup, as well as they are present on any Windows and can be used to configure network share to be accessible from workgroup computers? without necessity of creating the same user account on every workgroup machine? Gunner999 wrote: "Without a domain, its still possible to give access" Does not it contradict to answers given in member of both Workgroup and Domain? to my questions there: "Is it possible... to start secondary logon as local administrator (or runas programs from local administrator) being logged-in as (from) domain user session?" or vice versa? Well, the question was probably poorly worded but the purpose was to understand how to interact between from/to workgroup computer (and by computer I understand not host per se but resources and interactive applications on them) having an account independent on the fact of joining or not a machine to domain or to workgroup. And that purpose and context was quite wordily and repeatedly explained there

Up, I am still highly interested in the topic and cannot find anything pertinent to further read on it in internet

Do you have a particular problem or scenario you would like to discuss more? Best regards Joe Dunn MBCS, MCITP:EA, MCSE, CCNA

Development on corporative Windows XP Pro, having necessity of full administration of local machine and/or workgroup with access to domain resources without having access to any administration (configuration) in domain. Currently it is being solved by logging in as machine administrator to Windows XP Pro (part of workgroup) and accessing domain resources by separate logging in with domain account. The desire is to avoid such inconvenient separation, i.e. dependence on the machine being or not part of domain. More concrete situations can be taken from cited above posts. Does answering to my questions require particular problems and scenarios?

No a particular problem or scenario is not required but it is sometimes easier to answer when it's put into context. What you are trying to achieve is a normal setup for a domain member. Being a local administrator of a PC that is joined to the domain in no way grants the user any elevated permissions within the domain. What you should do Join the computer to the domain Create a user account in the domain for the particular user of the computer Grant the user account access to the required resources in the domain Either login to the computer with a local administrator account (local Administrator of Domain Admin) and add the new domain user account to the local Administrators group. OR If you have a large number of computers and you want a group of users to be local admins on all of them look at using Group Policy and the Restricted Group settings to control the membership of the local Administrators group. Login to the computer with the new domain user account. The account will now be a local administrator and have access to the domain resources you gave it access to. It will not have access to change anything in the domain if you have not explicitly granted it permission to do so. Hope this answers your question. Best regards Joe Dunn MBCS, MCITP:EA, MCSE, CCNA

No a particular problem or scenario is not required but it is sometimes easier to answer when it's put into context. What you are trying to achieve is a normal setup for a domain member. Being a local administrator of a PC that is joined to the domain in no way grants the user any elevated permissions within the domain. First, it is not normal. It completely disrupts the possibilities of mounting the development + testing + simulation infrastructure, environment and corresponding processes as well as R&D can accidentally disrupt domain. Second, I wrote about adminsitrator of Windows XP + workgroup not joined to domain and having NO access to administration of domain. Do you want to say that if to join machine to domain, one cannot install another Windows XP non-joined to domain? or run such virtual machine? Ooops, it is going the same pattern: instead of answering me my questions I put in starting post (about, for ex., "NT Authority\Network Service", etc.), you are answering something - I had not asked - I am not interested in discussing and can find on internet - I cannot do because I have no accesss to domain administration + generally I do not want accidentally disrupt domain functioning I wrote the context: 1)Administrator of non-joined to domain machne+workgroup and domain user of joined to domain machine 2) No access to domain administration