Re: Adding a computer account to file's security list

From: Herb Martin (news_at_LearnQuick.com)
Date: 07/15/04 

Date: Thu, 15 Jul 2004 16:44:48 -0500

"Rich Evans" <google@macrotex.net> wrote in message
news:422494b1.0407151250.25c902b0@posting.google.com...
> In the Active Directory you can add not only users and groups to a
> file or folder Security list, but also computer accounts. What results
> from granting Change permission on a folder to a computer account?

It's going to sound redundant but it would allow the computers account
(presumably you mean it's account in the domain) to Change that
resource.

> Does this mean that _anyone_ logged into that machine has Change
> permission?

Not at all - it give NO ONE except the computer additional access.

> Or does it mean any local account on that machine has
> Change permission?

Yes.

This is seldom dones since most resource access is by "user accounts"
but as of Win2000, computer accounts were made "first class security
objects" (full security principles).

This "first class" behavior means that you can place the computer
account into groups and grant or deny it permissions or rights on
the network/domain resources.

Under NT, you could use the "system" account but this was a purely
local account and could not be granted access on network resources
as a domain account can (now) be granted.

Mostly this feature is used for two main purposes:

        1) Filtering GPO objects so that they only apply to a subset of
        the computer accounts in a domain or OU.

        2) Allowing accessing to files on the network for so that
        Group Policy "software assignments" to the computer can be
        fetched from the network shares by the computer account even
        before any user is logged on.

Of course, you can use this feature for any granting or denying of
permissions or rights that make sense for a "computer" ITSELF,
but the above two are the obvious new situation for which the
feature was primarily enabled in Win2000+. 

-- 
Herb Martin

Relevant Pages

  • Re: Cannot read a Security Log from ASP.net web service
    ... it's a very bad idea to grant that permission to the ASPNET ... Here's the error I get after adding the ASPNET account to the Admin group: ... Cannot open log Security on machine .. ... > a web form that calls a web service. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Central Site info not flowing down
    ... The account is not authorized to log in from this station. ... Cathy Moya, CISSP, MCSE: Security ... >> should be added to the Site to Site Connection group on the parent site. ... >> Parent site server computer accounts should be added to the Site to Site ...
    (microsoft.public.sms.admin)
  • Re: Access is denied to some my folders. How to regain access?
    ... My account has administrative rights. ... I get "You do not have permission to ... and access to some folders on my portable HDD became denied. ...
    (microsoft.public.security)
  • Re: Access is denied to some my folders. How to regain access?
    ... My account has administrative rights. ... I get "You do not have permission to ... and access to some folders on my portable HDD became denied. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: NTFS permission for Inprocess DLLs
    ... AFAIK IIS only relies on the underlying Windows security. ... Group memberships of an account are determined when the account ... > in question never visits the visits the IIS until after the permission ...
    (microsoft.public.inetserver.iis.security)