PS can't do file management when running as SYSTEM

Question

PS can't do file management when running as SYSTEM

JRV 551

A PowerShell script renames a log folder to function as an archive, creates a new log folder, copies the ACL from the old folder to the new one, then deletes the oldest archives if there are more archives than desired. Snippet follows--

If ( $NumberOfLogsToKeep -gt 0) {  
    # archive recent logs  
    $dateStamp = get-date -uformat "%Y-%m-%d@%H-%M-%S"  
    $archiveFolder = "$LogFolder-$dateStamp"  
    Rename-Item $LogFolder $archiveFolder  
    New-Item $LogFolder -ItemType Directory  
    Get-ACL $archiveFolder | Set-ACL $LogFolder  
  
    # prune stale log folders  
    If ( Test-Path "$PSScriptRoot\Logs-*" ) {  
        $archiveFolders = Get-ChildItem -Path "$PSScriptRoot\Logs-*" -Directory | Sort-Object -Descending  
        $i = 0  
        $archiveFolders | ForEach-Object {  
            $i = $i + 1  
            If ( $i -gt $NumberOfLogsToKeep ) {  
                Remove-Item $_ -Recurse  
            }  
        }  
    }  
}

$NumberOfLogsToKeep and $LogFolder (a share hosted on a remote server) are specified in a "preferences" section at the top of the script.

On a WS2019 domain and WS2019 server, works perfectly when run as a Scheduled Task using Domain Admin creds. Does not work at all when run as a Scheduled Task using NT AUTHORITY\SYSTEM creds. The log folder is not renamed; don't know if the rest of the code would run correctly because it has nothing to do if the log folder is not renamed. SYSTEM has full control on the folder, subfolders, and files.

But on a different, WS2012R2 domain, on a WS2012R2 server, runs perfectly as a Scheduled Task as NT AUTHORITY\SYSTEM.

Is this a change in WS2019 PowerShell? For security?

TIA

Accepted answer

2 additional answers

Your answer

Answer 1

MotoX80 36,291

$NumberOfLogsToKeep and $LogFolder (a share hosted on a remote server)

When you run a process on Server1 as SYSTEM, and reference \Server2\ShareName, in a domain environment, then the account that Server2 sees is the AD computer account for Server1.

The account is YourDomainName\Server1$ it is not "SYSTEM".

The difference is likely something in either the share permissions or NTFS folder permissions where "everyone" or "authenticated users" have access. Check the security eventlog on Server2 and look for logon events from Server1$.

JRV 551 Reputation points

2022-03-15T20:47:07.55+00:00

All are correct, but this is the most correct. Hadn't occurred to me because I didn't think about where the shares were hosted on the 2 servers.

On the WS2012R2 server, where it's working, the script is still pointing to a share, but the share is hosted on the server where the script runs.

On the WS2016 server where it wasn't working, the share is remote from the server where the script runs. So I'd need to add the server or a group containing the server to the NTFS ACL with Full Control.

And, yes, service accounts are good things, even in microbusiness. And since, once I discovered it worked, I've already changed to a dedicated account whose only elevation is full control on the folder, I'll stay with it.

Thanks, all!
MotoX80 36,291 Reputation points

2022-03-15T22:39:30.97+00:00

Being the lazy, I mean efficient, sysadmin that I once was, another trick I used was to create a local account on all inter-related systems, with the same name and password. Usually this was an application related account that I might give a name like Accounting-FTP-User. I wasn't allowed to create domain accounts, and many times I didn't want to go through the hassle of requesting an AD service account. I just needed to get a file from server A to server B. The local account "flew under the radar" of the auditors and anyone checking AD. I could set up the file transfer and move on to the next crisis.
Rich Matheisen 47,901 Reputation points

2022-03-16T01:37:24.827+00:00

Oooohhh . . . bad auditors!

Our systems (well, at least the servers) were all checked for unauthorized local accounts. Woe be onto anyone found to have created one. The hunt was relentless! Getting a new domain service account wasn't difficult at all, though.

Answer 2

I'm not aware of any changes but, from a security point of view, I would have to ask the question why you would ever need to run a script like that as SYSTEM anyway. SYSTEM is designed for the OS to use, not any program you would ever write. Even services don't run under this account unless they absolutely need to (which is rare these days).

At a minimum I would run as a regular user. If it is file permissions issue then grant the user the necessary permissions on the folder structure(s). In the absolute worst case then run as an admin. SYSTEM would be overkill unless you're trying to rename OS logs that only SYSTEM has access to.

I would run the script as SYSTEM outside of a scheduled task and see what errors, if any, you're getting. This would help narrow down the problem. Scheduled tasks hide too much information when you're trying to debug an issue like this. I'd also recommend that you add verbose logging to trace what is going on and enable verbose output so you can see the messages.

Answer 3

Rich Matheisen 47,901

Without any error checking in the script you're reduced to grasping at straws when it comes to figuring out what to change.

Add a Start-Transcript at the start of the script and a Stop-Transcript at the end of it.

If I had to guess at what the problem might be, I'd start with the permissions on the files/directories you're manipulating.

Share via

PS can't do file management when running as SYSTEM

2 additional answers

Your answer