Accessing network drives created in services under Windows NT

Article translations Article translations
Article ID: 149984 - View products that this article applies to.
This article was previously published under Q149984
Expand all | Collapse all

On This Page

SUMMARY

This article explains how to access network drives created in services. Even though network drives are global system resources, they can only be accessed by processes running under the security context which was used to establish the network connection.

In fact the rule is very simple. A network connection is always made with a set of credentials (such as, domain name, user name, and password.) A process can access a network drive only if it has already validated the credentials used to establish the connection.

This article can also be used to understand how to create pseudo-permanent connections with the scheduler.

MORE INFORMATION

For the purpose of this article, assume the following configuration:
  • 1 Server acting as Primary Domain Controller (PDC) of a domain "DOMAIN"
  • A share on an other machine of the domain "ASERVER"
  • 1 Service running as User1 (Service1)
  • An other user "Auser"
This article considers the following two cases and explains, for each case, who can access the network driver:
  1. Network Connection made with Service1
  2. Network Connection made with the option /USER

1. Network Connection made with Service1

When a network connection is established under "Service1," the "User1" credentials are used (such as, domain "DOMAIN," user "User1" and their password):
NET USE X: \\ASERVER\SHARE
The drive X: is mapped to \\ASERVER\SHARE and can only be used by Processes which have validated this credentials of DOMAIN\User1. Therefore only the following processes can access the network drive X:
  • The service Service1
  • Any other service running under the security context of "User1"
  • Any process when logged on with the credentials of "User1"

2. Network Connection made with the option NET USE /USER

When a network connection is made with NET USE /USER:'Domain\Auser', the redirector sends an Server Message Block (SMB) frame "C Session setup" to the server in order to validate the credentials of "Domain\Auser." The server creates an access token for this user and replies to the redirector with an SMB frame "R Session setup" including a user ID that will be used in all consecutive SMB frames related to the connection.
NET USE X: \\ASERVER\SHARE /USER:DOMAIN\Auser
The drive X: is mapped to \\ASERVER\SHARE and can only be used by processes which have validated the credentials of DOMAIN\AUser. Therefore only the following processes can access the network drive X:
  • The service Service1
  • Any other service running under the security context of "Auser"
  • Any process when logged on with the credentials of "Auser"
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
103390 Network access validation algorithms and examples for Windows Server 2003, Windows XP, and Windows 2000

Properties

Article ID: 149984 - Last Review: November 1, 2006 - Revision: 1.2
APPLIES TO
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
Keywords: 
kbnetwork KB149984

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com