![]() ![]() If a service is configured to run under a user account, the system always creates a new logon session for the user and starts the service in that new logon session. A single user can have multiple, simultaneous logon sessions on the system. The logon SID is a unique identifier for the user's logon session. The system keeps track of redirected drives based on the user's logon security identifier (SID). Only the user is able to manage the redirected drive. When the system establishes a redirected drive, it is stored on a per-user basis. Although the WNet functions may return successfully, the resulting behavior is not as intended. ![]() If both services perform an explicit net use and provide the same credentials at the same time, one service will fail with an "already connected" error.Īdditionally, a service should not use the Windows Networking Functions to manage mapped drive letters. Multiple services running in the same context may interfere with each other.Instead, the service should use client impersonation to impersonate the user. If the service provides explicit credentials to a net use command, those credentials might be inadvertently shared outside of the service boundaries.Drive mappings exist across logon contexts, so if an application is running in the context of the LocalService account, then any other service running in that context may have access to the mapped drive.The net use command is not recommended for several reasons: Moreover, a service (or any process running within its own logon session) cannot access the drive letters that were established within a different logon session.Ī service should not directly access local or network resources through mapped drive letters, nor should it call the net use command to map drive letters at run time. Therefore, redirected drives cannot be shared between processes running under different user accounts. Each logon session receives its own set of drive letters from A to Z. If a server-side service uses an RPC connection, delegation must be enabled on the remote server.ĭrive letters are not global to the system. The service must have appropriate privileges to access the resource. ![]() A service (or any process running in a different security context) that must access a remote resource should use the Universal Naming Convention (UNC) name to access the resource. ![]()
0 Comments
Leave a Reply. |