I have a sql job on SERVER01.
Part of the job is to access a folder located on a different server:
\\SERVER02\Files
I need to be able to create folders and files under it as well as modify/delete files.
The \\SERVER02\Files folder is being shared with several different accounts.
If I go to SERVER02 and try to UNC path to \\SERVER02\Files, it'll ask for a password.
Since the servers are in two different domains, I need to specify the domain for the account:
DOMAIN\accountName
password
Questions:
What is the correct way for me to set this up so that the job will have access to the other server so it can manipulate the files at \\SERVER02\Files ?
This is very confusing so I'm trying to get it right. Any help would be greatly appreciated.
Thanks.
We have this same issue in our own environment, because we have two domains that have to share resources. The technically correct solution is to setup a trust between the two domains so that user logins are mapped across the domains. If you're like us and can't setup a domain trust, you can try some of the following solutions:
Login under the account that the SQL job runs under on SERVER01, and use the Credential Manager to create a login to SERVER02 with the other domain's user / password.
Under the account that SQL job runs, create a network share to the UNC path with the credentials embedded: NET USE M: \\SERVER02\Files [password] /user:[domain\user]. You will have to make sure this path is always mapped before the job runs, and use M: for your path.
If you have a specific process/command you need to run that accesses the network path, you can start that particular process using runas to authenticate with the second domain's credentials: runas /netonly /user:[domain\user] "/path/to/mytask.exe". This prompts for the password, but that can be piped in with echo [password]|runas ...
Related
I have two Active Directory forests on separate domains. Call them Domain1 and Domain2.
I want to be able to run this application from a computer in Domain1 and it will create an account in Domain2. I know this can be done in PowerShell by using new-pssession. Any help is appreciated.
-M
Excellent tutorial on all things .net -> AD.
http://www.codeproject.com/Articles/19689/Working-with-Active-Directory-in-VB-NET
You'll need to make sure that you have access to LDAP/ADSI from where ever you run the application though. Being on another domain isn't the issue, not being inside the current network where the AD server resides is, usually these things aren't internet facing due to it being a massive security concern.
In helping out a friend with a few questions for CS, I came across one that I had no prior experience with and was hoping someone would be able to clarify the difference between NTFS and File Share for me.
To help, the question we faced was:
A folder storing a faculty member’s personal documents are set as a share to which everyone has full access. The only person with NTFS permissions on the folder is said faculty member. Can everyone else access the documents?
I appreciate any clarification you can provide. I'd love your help in learning about this!
Short answer: No.
In Windows each file and directory has an ACL controlling access to it.
Each file share also has an ACL controlling access to the share.
When you access a remote file through a share you are doing so using the credentials used to login to the local computer. (You can connect using different credentials by entering a username/password when connecting).
The remote computer tests the supplied credentials against the ACL on the share.
Once you are past that, then every file you attempt to access on the remote machine through this connection will be checked using your credentials against the ACL on the file and the share. This allows a file share to offer more restricted access to some files than if the same user were attempt to access them locally. (So you could share files as read-only, even if the ACLs on the files themselves would allow that user write access).
If the file share is of a FAT file system then the only ACL checking that is done is against the file share itself because FAT doesn't support ACLs.
When computer are not in a domain and all user accounts are local user accounts then permissions are maybe not what you expect. Unlike Unix/linux, it is generally not possible to create the same user account (uid) on two computers because Windows basically uses a GUID for the UID (a big random number). So when you attempt to look at file owner or ACL information on remote files, since those files are all owned by local accounts on the remote computer, to your local computer those UID will not be recognized (See dir/q from the command line).
Windows can be setup to make non-domain file sharing a little easier. It can be set so that when you attempt to access the remote file share, as long as the remote computer has an account with the same username and password as the local computer, then the connection is allowed -- and you are logged into the remote computer using the remote computer users account.
For reference, see information on NTLM, SMB and NETBIOS.
I am developing a site for a client who has not decided on their domain name yet. I set up an account on a web server via WHM but have not pointed any domain names to it.
All was going well until I used a plugin (TinyMCE) to try and browse files on the server - it wouldnt work so I had a look at its script files and realised their permissions are set to not executable (644). I tired to change it to executable (755) but I get an error in my FTP clients console:
550 Could not change perms on file.js: Operation not permitted
Could this be because I am accessing the server not through a specific FTP account and so the server has locked down the files?
EG: I am using the servers IP address to access files with my FTP rather then something like:
ftp.mysite.com
Any advice on this would be great! Thanks
Yes, There is an issues with the FTP account permission. You will have to login your server with the main cPanel account user name and password OR you can chnage your file permission through cPanel >> File manager
I'm assuming some sort of security constraint, but if I have access to all folders on a PC, why allow some folders and not others.
What is the criteria for a folder being a valid backup / restore / attach folder?
Any advice appreciated!
Is not you who must have access, but the SQL Server service account. The engine must be able to attach the file after a restart when you are not logged in, so it cannot use your credentials, it must use its own credentials.
A valid backup/attach folder is one on which the SQLServerMSSQLUser$ComputerName$InstanceName user has full control. The Setup creates a set of folders that are correctly configured, see Setting Up Windows Service Accounts:
Instid\MSSQL\backup Full control
Instid\MSSQL\binn Read, Execute
Instid\MSSQL\data Full control
Instid\MSSQL\FTData Full control
Instid\MSSQL\Install Read, Execute
Instid\MSSQL\Log Full control
Instid\MSSQL\Repldata Full control
100\shared Read, Execute
Instid\MSSQL\Template Data (SQL Server Express only) Read
It matters less what folders you have access to than what folders SQL Server has (or should have) access to. Folders in private locations on the drive (like in a user's home directory) aren't necessarily accessible by the user that SQL Server runs as.
I have an app that uploads documents to the server through the standard
When sent my application to the production server, I found out that they had the server load balanced. My solution to this was to place the upload directory into a network share and then create a virtual directory pointing to the share.
I have set permissions on the share and the file itself, but I keep getting "access denied" whenever I try to upload a document.
Where could I be missing permissions? Is it possible that IUSR needs to have access to the share?
Thanks.
FYI,
The answer to this solution for me was to setup temporary impersonation with a user account that had access to the share, the folder and the virtual directory.
Here's a link to the code that worked for me:
http://support.microsoft.com/kb/306158#4
I hope your site use anonymous access. Otherwise you will have a painful experience.
If it is so ( anonymous acess), then: The IUSR is a local user on the production servers and not a domain user. So it don't have access the the share. You will have to change that to a domain user ( in the site configuration and not on the application pool). And make sure that the application pool run on a network service ( this is the default ) and it should work.
Chances are that whatever your ASP.Net process is running as does not have access to the share.
So chances are you need to set up an IIS6 application pool to run as a domain user and have that domain user have access rights to the file share.
Don't forget to aspnet_regiis -ga {domainuser} so that the domain user can actually run asp.net applications.