Re: How does Local System Account bypass file permissions during a backup?

From: Marco (tired.of.spam_at_hotmail.com)
Date: 11/04/04 

Date: Thu, 4 Nov 2004 14:58:48 +0100

1st line says it all:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/the_localsystem_account.asp

cheers,

Marco 

-- 
Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----
"Tommy Gilchrist" <tommy@delete.gilchristcs.the.com.needful> wrote in 
message news:bhrjo01ghsvq1b7fvf47nn4p33hucucgbh@4ax.com...
> On Thu, 4 Nov 2004 10:13:19 +1100, "Pegasus \(MVP\)" <I.can@fly.com>
> wrote:
>
>>
>>"Tommy Gilchrist" <tommy@delete.gilchristcs.the.com.needful> wrote in
>>message news:1imio0524tuobb6i56b6amrvvlib5ce48p@4ax.com...
>>> Folks
>>>
>>> I wonder could you shed some light on a problem we're having.
>>>
>>> The nature of the problem is very odd in that I'm arguing with a
>>> backup vendor who shall remain nameless over a feature that I need,
>>> that any backup software should be able to do, that their software
>>> seems to be capable of doing but (and this is the odd bit) they claim
>>> their software CAN'T do!
>>>
>>> The backup agent runs under the local system account and the vendor is
>>> claiming that this means that all files must have "SYSTEM" granted
>>> read access in order to guarantee a successful backup. Given that
>>> there are about 100 file servers hosting millions of files in the
>>> enviroment and multiple people have access to change permissions this
>>> obviously can't be guaranteed.
>>>
>>> However I can create files, give them very restricted permissions,
>>> even remove all permissions and the backup program can back them up
>>> successfully. I've tested this on Windows NT 4.0, 2000 and 2003.
>>>
>>> What may help move the discussion forward is an understanding of how
>>> the local system account accesses files. I understand that members of
>>> the Backup Operators group and the Administrators group get the "Back
>>> up files and folders" permission which will permit this. However the
>>> SYSTEM account isn't a member of either group by default.
>>>
>>> Is the SYSTEM account the same as the Local System Account services
>>> run under. Does the Local System Account have these permissions
>>> automatically or is this not relevant at all and am I barking up the
>>> wrong tree?
>>>
>>> thanks
>>>
>>> tommy
>>
>>The SYSTEM account has implicit access permissions to all local
>>files and folders (but not to networked resources). This is independent
>>of any NTFS permissions that you might set.
>>
> Thanks for this. I suspected it was something of this nature.
>
> Do you know if this is documented anywhere, preferably on one of
> Microsoft's sites?
>
> tommy

Relevant Pages