Scenario: We have a file in a share folder. We are copying the file from the share folder to a local computer using a PowerShell command run via Run Command in Azure:
Copy-Item -Path \\SHARE_FOLDER\installs\MY_FILE.TXT -Destination C:\LOCAL\ -Force
Run Command returns this error:
Copy-Item : Access to the path '\\SHARE_FOLDER\installs\MY_FILE.TXT' is denied.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.8\Downloads\s
cript11.ps1:1 char:1
Copy-Item -Path \\SHARE_FOLDER\installs\MY_FILE.TXT -Destination C:\LO ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : PermissionDenied: (\\SHARE_FOLDER\installs\MY_FI
LE.TXT:FileInfo) [Copy-Item], UnauthorizedAccessException
FullyQualifiedErrorId : CopyFileInfoItemUnauthorizedAccessError,Microsof
t.PowerShell.Commands.CopyItemCommand
Copy-Item : Access to the path '\\SHARE_FOLDER\installs\MY_FILE.TXT' is denied.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.8\Downloads\s
cript11.ps1:1 char:1
Copy-Item -Path \\SHARE_FOLDER\installs\MY_FILE.TXT -Destination C:\LO ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (:) [Copy-Item], UnauthorizedAcces
sException
FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow
erShell.Commands.CopyItemCommand
Why isn't System able to copy the file over? It appears to have all the permissions required to do so.
Adding Everyone to File Sharing fixes the problem. The file is successfully copied over.
CodePudding user response:
When accessing the network share you have to use network accounts. SYSTEM is local service account that they don't exist outside the machine they are attached to, so they are not part of the domain. You can have domain service accounts, but these exist as part of AD rather than accounts on a machine. When using SYSTEM account on different computers you refer to different accounts.
In a domain environment, to access network shares you can grant access rights to computer accounts; this applies to processes running on those computers as LocalSystem
or NetworkService
(but not LocalService
, which presents anonymous credentials on the network) when they connect to remote systems.
LocalSystem presents the computer's credentials to remote computers.
Each computer in AD domain is presented by a hidden object that can be found as COMPUTER$
account.
COMPUTER here refers to the AD name of the domain computer.
Accordingly to need to add COMPUTER$
account in the NTFS and share permissions that this computer could access your share as LocalSystem.
Note: You can't use computer accounts in a workgroup environment; this applies only to domains.