Overview
All network shares in Windows are specifically connected for the current user's session. By default, the Resilio Connect Agent runs as a service in system session as the "Local SYSTEM" or "Local Service" user. As a result, the Agent is unable to see any mapped network drives that are normally seen by the current user account. Additionally, when accessing the UNC path, the Agent tries to supply the credentials of the "Local SYSTEM" or "Local Service" to the SMB server and gets rejected.
This is a Windows OS limitation which can be bypassed using the following three methods:
- Changing the user account running the Agent to one that has access to the share and accessing it with UNC path
- Mapping a network drive manually using the PSEXEC tool
- Mapping a network drive automatically using a script job
This way implies running Agent as a user account which name and password matches the one configured on SMB/CIFS server. Therefore, Agent will automatically login to SMB/CIFS server upon first attempt to reach files.
New user permissions
If you plan the Agent to also access local files, don't forget to grant new user permissions to relevant directoriesPlease follow the steps below to configure agent running as a different user account.
Step 1
Find username or create a user on your SMB/CIFS server that you'll use for access.
Step 2
Create a user with the same name and same password on a computer running agent. You can skip this step is the user you are going to use is a domain user and the computer is part of the domain.
Step 3
Open permissions of the folder C:\ProgramData\Resilio\Connect Agent
(or C:\ProgramData\Resilio\Connect Server
for Management Console Agent) and add new user with full access there.
And hit okay till you close the folder properties dialog
Step 4
Open Services, find "Resilio Connect Agent Service" service (Resilio Connect Server if you apply it for Management Console Agent) and open it's properties, "Log on" tab. Enter your user name and its credentials
Once you click "OK", windows may give you a notice that this user is granted a permission to run as service.
Step 5
Restart the agent service so it will run under new user account. First start as a new user may take a while as Windows will create a new registry hive and new user home directory structure.
Error is expected
Management Console will display an error "The Agent cannot decrypt its settings files" which is expected on a change of user account running agent. Ensure to approve such an agent if it requires approval and restart it one more time to clear the error.
Using the PSEXEC utility allows you to login directly to the system session and manage network resources. This is done locally, and will also allow but not reveal the network share credentials to Management Console Administrators.
Step 1
Make sure that the Agent is running under the "Local System" account
- Open Services, find "Resilio Connect Agent Service"
- Right-click and pick "Properties" -> "Log on"
- Check that either the "Local System account" radio button is selected or "This account" contains "NT AUTHORITY\System" or "Local System" or any other localized username that indicates that the user name is the "Local System". Note that the "Local System" account always has an empty password.
Step 2
Open the command line with the elevated privileges (Run as Administrator)
Step 3
Download Sysinternals set of tools , unpack them in a directory, then navigate your Admin command line to the same directory.
Step 4
In the Admin command line, run the command psexec -i -s cmd.exe
. This will open a new command prompt, running from the System account name. Verify that by running the whoami
command. The output should be nt authority\system
Step 5
Run the command net use <drive_letter>: \\<yourservername>\<foldername> <password> /user:<username> /persistent:yes
for each drive that needs to be mapped, replacing the drive letter, network path, username, and path accordingly
Step 6
The mapped drive is going to be visible to all users in your system, though will always show up as "Disconnected" in Explorer.
Disconnect network drive
To disconnect network drive, you'll need to repeat step #2..4 and run the following command in System user command prompt: net use <drive_letter>: /delete
The script you place in a Script Job gets executed by the Agent, runs in the same system session as the Agent, and therefore accesses the network resource with the proper credentials making it visible to the Agent.
Network share credentials
This method requires the Management Console Admin to have the credentials to access the network share. If this is not possible, there's a different way to accomplish this.Follow the steps below to make sure the network share is accessible to the Agent:
Step 1
Create a new "Run script" job
Step 2
Make sure that you only add the Agents that need to access the specified network share. The actual directory is not important (though you should make sure that you pick one that exists on target machine).
Step 3
Copy the following script and make sure that you select CMD in RUN AS selector:
net use \\<yourservername>\<foldername> <password> /persistent:yes /user:<username>
Step 4
Save the job and run it. Once the job completes, open the log, and verify that the operation was successful, otherwise the error code will help you to understand why net use
command has failed
Unmapping drive
If you no longer want the Agent to access the network drive, follow the same steps, but this time place a different script in step3:
net use \\<yourservername>\ /DELETE