How do I set permissions on network shares to allow SYSTEM account access in server cluster?

I want to share common data within a cluster of servers via network shares. There will be one share folder on each server, which all the other servers can access. The server processes that will be accessing this data are currently running as SYSTEM. I would like to restrict the permissions on these folders so that only the processes running on the other servers in the cluster can access the share. I do NOT want the network shares to be accessible to anyone else in the domain (except perhaps the admins who can remote into the servers anyway).

How do I configure the permissions on the file shares to accomplish this? Can it be done with the server processes running as SYSTEM? If there is no direct way to do this, is there a best practice work around?

We are running Windows Server 2008 R2.

Thanks, Jeff


In a terse, step-by-step fashion:

  • Create a group and make the AD computer accounts for the cluster computers members of that group.

  • Set the NTFS permissions on the folder to "SYSTEM / Full Control", "MACHINE\Administrators / Full Control", and "The Cluster Member Group / Full Control". (I always include "MACHINE\Administrators" and "SYSTEM" with "Full Control" in virtually every permission I apply. Call it force-of-habit...)

  • Share the folder and set the Share Permission to "Everyone / Full Control". This effectively nullifies this "feature". The NTFS permissions will enforce the security you're looking for.

  • You're in business.