System context has all permissions, but can't access file in share folder via Run Command in Az-CodePudding

Scenario: We have a file in a share folder. We are copying the file from the share folder to a local computer using a PowerShell command run via Run Command in Azure:

Copy-Item -Path \\SHARE_FOLDER\installs\MY_FILE.TXT -Destination C:\LOCAL\ -Force

Run Command returns this error:

Copy-Item : Access to the path '\\SHARE_FOLDER\installs\MY_FILE.TXT' is denied.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.8\Downloads\s
cript11.ps1:1 char:1
  Copy-Item -Path \\SHARE_FOLDER\installs\MY_FILE.TXT -Destination C:\LO ...
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      CategoryInfo          : PermissionDenied: (\\SHARE_FOLDER\installs\MY_FI 
   LE.TXT:FileInfo) [Copy-Item], UnauthorizedAccessException
      FullyQualifiedErrorId : CopyFileInfoItemUnauthorizedAccessError,Microsof 
   t.PowerShell.Commands.CopyItemCommand
 
Copy-Item : Access to the path '\\SHARE_FOLDER\installs\MY_FILE.TXT' is denied.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.8\Downloads\s
cript11.ps1:1 char:1
  Copy-Item -Path \\SHARE_FOLDER\installs\MY_FILE.TXT -Destination C:\LO ...
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      CategoryInfo          : NotSpecified: (:) [Copy-Item], UnauthorizedAcces 
   sException
      FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow 
   erShell.Commands.CopyItemCommand

Run Command runs as System (

Why isn't System able to copy the file over? It appears to have all the permissions required to do so.

Adding Everyone to File Sharing fixes the problem. The file is successfully copied over.

CodePudding user response：

When accessing the network share you have to use network accounts. SYSTEM is local service account that they don't exist outside the machine they are attached to, so they are not part of the domain. You can have domain service accounts, but these exist as part of AD rather than accounts on a machine. When using SYSTEM account on different computers you refer to different accounts.

In a domain environment, to access network shares you can grant access rights to computer accounts; this applies to processes running on those computers as LocalSystem or NetworkService (but not LocalService, which presents anonymous credentials on the network) when they connect to remote systems. LocalSystem presents the computer's credentials to remote computers.

Each computer in AD domain is presented by a hidden object that can be found as COMPUTER$ account.

COMPUTER here refers to the AD name of the domain computer.

Accordingly to need to add COMPUTER$ account in the NTFS and share permissions that this computer could access your share as LocalSystem.

Note: You can't use computer accounts in a workgroup environment; this applies only to domains.