Cannot add 'Network Service' to ACL on DC

November 24, 2010 at 06:49:43
Specs: Windows Server 2003 SP2
Hi

I hope someone is able to help, it's been driving me NUTS for days now and extensive Googling hasn't quite yielded an answer!

I need to add the NT AUTHORITY\NETWORK SERVICE account to the ACL of a directory on our server - however, the account does not show up on any searches whatsoever. I understand from my searches, that although domain controllers do not have local accounts, they do still have the built-in 'special' accounts and that these should possibly be held within Active Directory under 'Foreign Security Principals' - but we only have two accounts listed in that OU - 'NT AUTHORITY\Authenticated Users' and 'NT AUTHORITY\INTERACTIVE'. Does anyone know if Network Service should be listed in there and if so how I'd go about getting it in there? And if not, how do I add the Network Service account in the ACL for a domain controller?

Many thanks in advance


Chris


See More: Cannot add Network Service to ACL on DC

Report •

#1
November 24, 2010 at 08:06:07
out of curiosity why do you need to add a system account to a directory?
What is this addressing?

Answers are only as good as the information you provide.
How to properly post a question:


Report •

#2
November 24, 2010 at 08:15:01
We have an application called GFI MailEssentials, which - amongst other things - is a spam filter for our Exchange server. We have upgraded to the new version, which has an IIS-powered web-based spam quarantine, where users are supposed to be able to approve messages marked as spam that shouldn't be.

This isn't working and the advice of GFI has been to ensure that Network Service has access to the directory where the IIS virtual directory points to (in %ProgramFiles%).


Report •

#3
November 24, 2010 at 09:01:38
And here I would have thought Everyone with full control to the folder would have been the path to follow.

http://support.microsoft.com/kb/812519

if you look at the dhcp service and the logon what is it running under?

What happens when you go to that folder, go to properties/security/add and type in network service and then click on check names?

I do have a network service under foreign but its description is that of this was added from an external domain [which never happened here]. I have to think it was a result of a schema upgrade dealing with Exchange or part of our migration to 2008

Answers are only as good as the information you provide.
How to properly post a question:


Report •

Related Solutions

#4
November 24, 2010 at 09:15:36
I have to say that long-term I am very much against giving 'Everyone' full control to the directory, but I have tried it as an experiment and am still getting the same issue, so perhaps this is a red herring to the specific issue we are having.

However, I do still think we have a problem with not being able to add Network Service to directory permissions. If I type in network service (or networkservice), the server complains that it can't find what I'm looking for. I am searching in 'Users, Computers, Groups and Built in Security Principals'.

Thank you very much for your suggestions by the way - it's all food for thought for me!


Report •

#5
November 24, 2010 at 21:59:59
The fear over "everyone" is greatly exaggerated. You can't logon as "everyone". You can't do anything as "everyone".

again: what is your dhcp service running under?

holdup here is [if GFI is correct] you don't have the network service.

Have you installed IIS? From what I have gleaned that install creats/uses the network service which btw only exist under foreign. It doesn't exist anywhere else I could see.

Answers are only as good as the information you provide.
How to properly post a question:


Report •

#6
November 25, 2010 at 07:33:30
Yes - but 'Everyone' is surely a group that contains all users - so if 'Everyone' has full access to a folder, surely any authenticated user can delete or modify whatever they like?

Apologies, I missed your previous question - the DHCP client is running under 'Network Service', but it is not a DHCP server. There are also several other services running under 'Network Service'.

We do have IIS installed, as we run OWA (it's our Exchange server).

Thanks again.


Report •

#7
November 27, 2010 at 09:26:36
If you see services listed as running under network service then the service has to exist.

When assigning to a folder you may wish to look at local not domain groups to see if it shows up.

Answers are only as good as the information you provide.
How to properly post a question:


Report •

#8
November 29, 2010 at 01:38:25
Yeah, but the problem is there is no option to look at local groups when trying to assign permissions, you only get the option to look in the 'Entire Directory'.

Report •

#9
November 29, 2010 at 10:05:51
That makes sense since its a dc and you don't have network service in AD.

I can't find anything on when this service is created or how to restore the account.

Answers are only as good as the information you provide.
How to properly post a question:


Report •

Ask Question