November 23, 2010

What does "Access this computer from the network" really do?

When I first started out, the different local security policies would confuse me and the lengthy but useless Microsoft descriptions do not help much too.

One of the common rights I have to frequently get in touch with is Access this computer from the network. Sometimes, users will have issues accessing their servers. When told this right is needed, they will ask what is it for. This is where the dreaded time comes to explain in layman terms to users.

Finally I decided to check on what this right does explicitly and to my surprise, it does not affect rdp login to servers. From WindowsITPro

"Despite the broad-sounding name, the Access this computer from the network user right applies only to the Server service and the resources it provides. The Server service primarily provides remote access to files and printers but also provides remote access to the resources you see in the Microsoft Management Console (MMC) Computer Management snap-in, including event logs, shared folders, local users and groups, logical disk management, and applications that use named pipes. However the Access this computer from the network user right has no effect on services such as World Wide Web Publishing, Telnet, and Terminal Services. To control access to these services, you must implement security settings specific to each service as necessary."

So brought into context, users will not be able to access files or printers remotely if their accounts are not inside this policy. This is so even if their permissions are granted to particular folder Shares/NTFS permissions.

On a side note, if remote access to file shares are not working, restarting the Server service might do the trick.

This can be useful, for eg during Disaster Recovery scenarios, where a storage LUN is unmounted from Production server to DR server. If the file shares (and the hand icons) do not appear, restarting the Server service will usually resolve the issue, provided this is not the first time that the LUN is mounted on DR and share permissions have been previously assigned before. NTFS permissions will not be lost when swinging the LUN from one server to another server, but it will also need to have been assigned previously.



No comments:

Post a Comment