This article was previously published under Q149984
This article explains how to access network drives created in services.Even though network drives are global system resources, they can only beaccessed by processes running under the security context which was used toestablish the network connection.
In fact the rule is very simple. A network connection is always made witha set of credentials (such as, domain name, user name, and password.) Aprocess can access a network drive only if it has already validated thecredentials used to establish the connection.
This article can also be used to understand how to create pseudo-permanentconnections with the scheduler.
For the purpose of this article, assume the following configuration:
1 Server acting as Primary Domain Controller (PDC) of a domain "DOMAIN"
A share on an other machine of the domain "ASERVER"
1 Service running as User1 (Service1)
An other user "Auser"
This article considers the following two cases and explains, for eachcase, who can access the network driver:
Network Connection made with Service1
Network Connection made with the option /USER
1. Network Connection made with Service1
When a network connection is established under "Service1," the "User1"credentials are used (such as, domain "DOMAIN," user "User1" and theirpassword):
NET USE X: \\ASERVER\SHARE
The drive X: is mapped to \\ASERVER\SHARE and can only be used byProcesses which have validated this credentials of DOMAIN\User1. Thereforeonly the following processes can access the network drive X:
The service Service1
Any other service running under the security context of "User1"
Any process when logged on with the credentials of "User1"
2. Network Connection made with the option NET USE /USER
When a network connection is made with NET USE /USER:'Domain\Auser', theredirector sends an Server Message Block (SMB) frame "C Session setup" tothe server in order to validate the credentials of "Domain\Auser." Theserver creates an access token for this user and replies to the redirectorwith an SMB frame "R Session setup" including a user ID that will be usedin all consecutive SMB frames related to the connection.
NET USE X: \\ASERVER\SHARE /USER:DOMAIN\Auser
The drive X: is mapped to \\ASERVER\SHARE and can only be used byprocesses which have validated the credentials of DOMAIN\AUser. Thereforeonly the following processes can access the network drive X:
The service Service1
Any other service running under the security context of "Auser"
Any process when logged on with the credentials of "Auser"
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
103390 Network access validation algorithms and examples for Windows Server 2003, Windows XP, and Windows 2000