The FAST: Scripts running at logon that write to a network share user the user account logging in and the NTFS permissions require READ and WRITE.

So I looked everywhere for this one, I thought it would be a regular problem, but it is not apparently, and if it is it is not documented well.  So here is mine

The issue, is that I want my logon script to write (append) to a network location file.  In our brave new world of least privilege, it is important to allow only the minimum permissions.  not many of the articles I googled had information on this, and the ones I did wanted to use the ‘everyone’ group.  Big no no.  So after a great deal of trial and error I found that the answer was to allow READ.

See, You can permit the CHANGE on the Share permissions, but there is a specific right on on NTFS permissions for CHANGE.  Allowing this permitted me to CREATE a file, but refused to allow my script to APPEND to it, even though it spells it out.  I found out 2 important things

  • The script does indeed run as the user account logging in (haven’t checked boot up scripts yet)
  • The share being written to requires the account have CHANGE and READ.  I was able to remove LIST, but READ was required.

Hope this saves someone else a couple days of trouble shooting.

Leave Your Comment

Your email address will not be published. Required fields are marked *

17 + two =