I am running a Dotnet 3.5 executable in Windows 7 Ent, as a GPO computer startup script in a domain. The script resides on a network share. The exe is run as Local System. The exe runs correctly.
I would like to access a web Service in this exe, but it appears that the Local System does not have access to network resources per documentation. However if the same exe is copied to the C Drive and run from there under the same account and same conditions (i.e. GPO startup script) then the Web Service can be accessed.
How is it that the Local System has access to the web service when running from C: drive, but not from the Network Share? Is there anything that can be done to make it work from the network share, without first being copied to the local drive? is Local System same as SYSTEM and same as NTAuthority\system?
I have tried the following so far to make it work. None of these work:
- Impersonate a domain user in code.
- Give Full Trust to all zones in .Net Security Configuration
- Add the network share to Trusted Sites in IE.
- Use the netbios name instead of the fully qualified name of the fileserver, i.e. \server\share, rather than \server.domain.com\share
The following things I cannot do to fix this problem:
- Change the logon account of the Group Policy Client service to a domain user
- Run the exe as logon script. It has to be startup script.
To reproduce this problem I do the following:
- Create an simple exe with some network function, i.e. WebClient.DownloadString("http://www.google.com")
- Deploy exe to a network share
- Run as normal user to show there is no error
- Run whoami to show the current user
- run psexec -s -i cmd.exe
- Cmd will start as SYSTEM (Local System or NT Authority\System)
- Run whoami to show the current user
- Run exe from network share to show it will fail to download the page.
- Copy the exe to C Drive.
- Run exe to show the page is downloaded.