The FAST: Scripts running at logon that write to a network share user the user account logging in and the NTFS permissions require READ and WRITE.
So I looked everywhere for this one, I thought it would be a regular problem, but it is not apparently, and if it is it is not documented well. So here is mine
The issue, is that I want my logon script to write (append) to a network location file. In our brave new world of least privilege, it is important to allow only the minimum permissions. not many of the articles I googled had information on this, and the ones I did wanted to use the ‘everyone’ group. Big no no. So after a great deal of trial and error I found that the answer was to allow READ.
See, You can permit the CHANGE on the Share permissions, but there is a specific right on on NTFS permissions for CHANGE. Allowing this permitted me to CREATE a file, but refused to allow my script to APPEND to it, even though it spells it out. I found out 2 important things
- The script does indeed run as the user account logging in (haven’t checked boot up scripts yet)
- The share being written to requires the account have CHANGE and READ. I was able to remove LIST, but READ was required.
Hope this saves someone else a couple days of trouble shooting.