Hi I'm a very experienced developer, and like many I hate security (from a developers standpoint it "gets in the way"). Of course I accept the need for it, but it is very frustrating and complex (I just tried setting up auditing for file access and that is bewildering). My issue is, I am running some test code on a Vista box, it attempts to open some simple test file located on a share on a Server 2008 R2 box. I keep getting "access denied" though, even though the utl AccessEnum says "Everyone" has read and write access to the file. Now what really confused me, is that the user names in the various permissions dialogs often have the machine name preceding them: TESTSERVER\Mike TESTSERVER\Administrator and so on. But how can I add a permission ON THE SERVER that contains the machine name for the workstation, ie: DESKTOP_01\NETWORK_SERVICE for example? That is if we have code running on the workstation under NETWORK SERVICE and I want that code to open/read/write the file on \\TESTSERVER\Folder How do I "tell" Server 2008 R2 on the test server that I want to add permission for the NETWORK SERVICE that runs on the workstation? Whenever I play with these security dialogs, I can never understand how to specify a user that is defined on another machine, these machines are setup as a workgroup incidentally. THanks for any help. Cap'n

http://support.microsoft.com/kb/243330/en-us netowrk service is a well known sid, ithas the same sid on any machine. instead of the machine name, it would use NT Authority\Network Service

>>That is if we have code running on the workstation under NETWORK SERVICE and I want that code to open/read/write the file on >>\\TESTSERVER\Folder >>How do I "tell" Server 2008 R2 on the test server that I want to add permission for the NETWORK SERVICE that runs on the workstation? NETWORK SERIVCE is a well known security object. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and acts as the computer on the network (Computername$) http://msdn.microsoft.com/en-us/library/ms684272(VS.85).aspx Assuming a DOMAIN is in place, you can add the domain computer account (Computername$) to the Share and NTFS permissions. As an alternative, you can have the service run under a domain user account (domain\user), and permission that account to the share and NTFS permissions. >>these machines are setup as a workgroup incidentally. Without a domain, its still possible to give access but it is just that much more difficult. 1) you must run the service under a user account. 2) That same user account must be created on every computer in the workgroup / that needs this permission 3) You passwords on all computers for this account must be the same. 4) Specify the local account for all accesses on every computer. 5) disable the firewall on all computers in the workgroup.

Since the thread was marked as answered,I moved my questions to "Confused over file access" continued