Issue
Scenario: We have a file in a share folder. We are copying the file from the share folder to a local computer using a PowerShell command run via Run Command in Azure:
Copy-Item -Path \\SHARE_FOLDER\installs\MY_FILE.TXT -Destination C:\LOCAL\ -Force
Run Command returns this error:
Copy-Item : Access to the path '\\SHARE_FOLDER\installs\MY_FILE.TXT' is denied.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.8\Downloads\s
cript11.ps1:1 char:1
+ Copy-Item -Path \\SHARE_FOLDER\installs\MY_FILE.TXT -Destination C:\LO ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (\\SHARE_FOLDER\installs\MY_FI
LE.TXT:FileInfo) [Copy-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : CopyFileInfoItemUnauthorizedAccessError,Microsof
t.PowerShell.Commands.CopyItemCommand
Copy-Item : Access to the path '\\SHARE_FOLDER\installs\MY_FILE.TXT' is denied.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.8\Downloads\s
cript11.ps1:1 char:1
+ Copy-Item -Path \\SHARE_FOLDER\installs\MY_FILE.TXT -Destination C:\LO ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-Item], UnauthorizedAcces
sException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow
erShell.Commands.CopyItemCommand
Run Command runs as System (docs). System had Owner Permission Level in File Sharing and Full Control in both Share permissions and Security (machine specific details have been blurred out):
Why isn’t System able to copy the file over? It appears to have all the permissions required to do so.
Adding Everyone to File Sharing fixes the problem. The file is successfully copied over.
Solution
When accessing the network share you have to use network accounts. SYSTEM is local service account that they don’t exist outside the machine they are attached to, so they are not part of the domain. You can have domain service accounts, but these exist as part of AD rather than accounts on a machine.
When using SYSTEM account on different computers you refer to different accounts.
In a domain environment, to access network shares you can grant access rights to computer accounts; this applies to processes running on those computers as LocalSystem or NetworkService (but not LocalService, which presents anonymous credentials on the network) when they connect to remote systems.
LocalSystem presents the computer’s credentials to remote computers.
Each computer in AD domain is presented by a hidden object that can be found as COMPUTER$ account.
COMPUTER here refers to the AD name of the domain computer.
Accordingly to need to add COMPUTER$ account in the NTFS and share permissions that this computer could access your share as LocalSystem.
Note: You can’t use computer accounts in a workgroup environment; this applies only to domains.
Answered By – Hardoman
This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0