This started when I notice that I was able to back up SQL Server databases to network shares on different serverseven though all SQL Server services are logging in as "Local System", AKA "NT Authority\System". I looked at the login information on the destination machine while the backup was occurring and saw that domain\mahinename$ was accessing the share. I have done this on at least 2 separate servers, although all servers are in the same domain.I do not understand why this is happening fortwo reasons. First, the "Local System" account is not supposed to be able to access any network resources, and second, I have not granted that machine account access to any of the shares I have backed up to with SQL Server. My understanding of this situation is that SQL Server must be running under a domain account in order to have access to network resources, and the account must have thr proper rights on the network resource in order to use it. The network admin hereis stumped, and several people on various SQL Server forums are stumped.I am all ears for any ideas on this situation. I can post more information as requested.Thanks,Chris

Stamey, The following msdn article is quite clear:http://msdn.microsoft.com/en-us/library/ms684190.aspxThe relevant snippet follows:"The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network."LocalSystem off box IS the machine account.Andrew

This kind of turns things around, as far as MS documentation goes. Everyplace else I have looked states that this account cannot access network resources. On top of that, as I said before, if I have not given that account rights on anotherserver it should not be able to access a share on the other server, yet it can.Have I uncovered a security flaw in Win 2003?Thanks,Chris

Chris, Please point to Microsoft documentation that indicates LocalSystem account does not act as the machine account off box?Andrew

Hi Chris, By default, computer account (local system) is able to access the network resource. Windows system also uses this account to get the domain group policy/computer configuration. To prevent the computer accounts from accessing the share folder, please deny the computer accounts the Read/Write share permission for the share folder.

Andrew, http://social.msdn.microsoft.com/forums/en-US/sqldatabasemirroring/thread/f98796fd-e308-47e6-9035-7a59eaf2f15b/ http://msdn.microsoft.com/en-us/library/aa274606(SQL.80).aspxI didn't say that the LocalSystem account does nto act as the machine off box. What I said was the documentation I have read states that the Local System account does not have access to network resources, therefore, if a SQL Server is running under a local system account it should not be able to access network resources. In my case it can, and I need to understand why because I have never seen this behavior before.I have had the impression that the local system account was not able to access the network, other than for domain controller communication, mainly because you could not grant that account access to any resources on the network. Joson,Even if the local system account cantalk tonetwork reources, how can it have access to them if I have not granted it access, either by specifically naming that computer or a domain group that computer belongs to?I would think that a computer account would not have access to anything on the domain, by default, except the minimum necessary for it to interact with the domain controllers. On one of the servers I was able to backup my SQL database to the share is wide open, but the ACL on the folder is: Adminsitrators Full Control, Creator/Owner Special Permissions, Everyone List Folder Contents, System Full Control, Users Read/Execute.Considering that ACL, and the fact that the computer is not in any of the groups mentioned above, how can that computer account write to that share location?If I am missing something, please tell me how to track down where this computer account has access.Thanks,Chris

Stamey, The first link supports the argument that LocalSystem acts as the machine account on the network and therefore can access network resources [as the machine account]. The second link is concerning. I believe the article meant to say: LocalService. LocalService acts as anonymous on the network. I filed a report for this to be fixed. Other sql server specific pages do correctly describe the LocalSystem account: http://technet.microsoft.com/en-us/library/ms143504.aspx A sql server service running as local system can access the network in the security context that it is running. In the event of local system, the service will access the network as the machine account. i.e. domain\machinename$Perhaps you are confusing local system and local service?Andrew

I suppose part of it is familiarity with Win2000, which did not allow the local system account to access network resources. Even now, it seems more logical to require a service run under "network service" in order to access network resources, than to also allow "local system", which historically has not had this type of access.Regardless, at this point I do not care about that. My concern is securing my network by learning how to regulate what this account can access. As I said before, I cannot tell how the account is accessing the network resources, on multiple servers, unless the computer account somehow defaults to being in the Domain Admins group. While I cannot imagine this to be the case, I need to find the knowledge to analyze this situation fully, so I can make informed decisions regarding my network security.Can anyone tell me how to track down how the machine account accesses network resources? As the machine account is not in any groups I am aware of, I don't see how it can access network resources. It would be like my personal account being able to access network reources even though I am not in any group that is supposed to have access to a particular resource.I know how to track an ordinary user. Look to see what groups that account is in, and the follow the trail to the resource to see if that account or groups it belongs to have access to the network resource, including checkign to see if that account or domian groups it belongs to belong to any local groups on the machine where the network resource is located, and if those local groups have access to the network resource.Thanks,Chris

Through some testing, I have found that the problem is "Creator Owner" being in the ACL, having sufficient rights to do whatever they want in the shared directory. This makes absolutely no sense to me, as per my current understanding of the Creator Owner "group". My understanding is this allows the creator or owner of a file the rights that fall under the Creator Owner group, and may be less restrictive than rights for the owner's own account or groups the owner belongs to. This would facilitate the owners' group members to say, read a file the owner created, but only the owner can modify it or delete it.That said, and if true, then the account would have to have rights to do soemthing in the share, create a file, before the Creator Owner rights would come into play, since if the account did not have rights to access the directory to begin with, they could never become a Creator/Owner.If this is wrong, please help me understand. I continue to search the Internet for reasons why this behavior occurs.Thanks,Chris

Stamey, The following msdn article is quite clear: http://msdn.microsoft.com/en-us/library/ms684190.aspx The relevant snippet follows: "The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network." LocalSystem off box IS the machine account. Andrew Is machine account of Windows computer being changed by the process of joining to AD? homework? or, AD machine account is created anew by joining a machine to domain and exist in parallel with "local" (non-domain) machine account? And what are the differences? Are the meaning and rights of LocalAccess different on workgroup, homegroup and AD domain?