Why do my Application Compatibility Toolkit Data Collectors fail to write to my ACT Log Share?
- by Jay Michaud
I am trying to get the Microsoft Application Compatibility Toolkit 5.6 (version 5.6.7320.0) to work, but I cannot get the Data Collectors to write to the ACT Log Share.
The configuration is as follows.
Machine: ACT-Server
Domain: mydomain.example.com
OS: Windows 7 Enterprise 64-bit Edition
Windows Firewall configuration: File and Printer Sharing (SMB-In) is enabled for Public, Domain, and Private networks
ACT Log Share: ACT
Share permissions*:
Group/user names Allow permissions
---------------------------------------
Everyone Full Control
Administrator Full Control
Domain Admins Full Control
Administrators Full Control
ANONYMOUS LOGON Full Control
Folder permissions*:
Group/user name Allow permissions Apply to
-------------------------------------------------
ANONYMOUS LOGON Read, write & execute This folder, subfolders, and files
Domain Admins Full control This folder, subfolders, and files
Everyone Read, write & execute This folder, subfolders, and files
Administrators Full control This folder, subfolders, and files
CREATOR OWNER Full control Subfolders and files
SYSTEM Full control This folder, subfolders, and files
INTERACTIVE Traverse folder / This folder, subfolders, and files
execute file,
List folder / read data,
Read attributes,
Read extended attributes,
Create files / write data,
Create folders / append data,
Write attributes,
Write extended attributes,
Delete subfolders and files,
Delete, Read permissions
SERVICE (same as INTERACTIVE)
BATCH (same as INTERACTIVE)
*I am fully aware that these permissions are excessive, but that is beside the point of this question.
Some of the clients running the Data Collector are domain members, but some are not. I am working under the assumption that this is a Windows file sharing permission issue or a network access policy issue, but of course, I could be wrong.
It is my understanding that the Data Collector runs in the security context of the SYSTEM account, which for domain members appears on the network as MYDOMAIN\machineaccount. It is also my understanding from reading numerous pieces of documentation that setting the ANONYMOUS LOGON permissions as I have above should allow these computer accounts and non-domain-joined computers to access the share.
To test connectivity, I set up the Windows XP Mode virtual machine (VM) on ACT-Server. In the VM, I opened a command prompt running as SYSTEM (using the old "at" command trick). I used this command prompt to run explorer.exe. In this Windows Explorer instance, I typed \ACT-Server\ACT into the address bar, and then I was prompted for logon credentials. The goal, though, was not to be prompted. I also used the "net use /delete" command in the command prompt window to delete connections to the ACT-Server\IPC$ share each time my connection attempt failed.
I have made sure that the appropriate exceptions are
Since ACT-Server is a domain member, the "Network access: Sharing and security model for local accounts" security policy is set to "Classic - local users authenticate as themselves". In spite of this, I still tried enabling the Guest account and adding permissions for it on the share to no effect.
What am I missing here? How do I allow anonymous logons to a shared folder as a step toward getting my ACT Data Collectors to deposit their data correctly? Am I even on the right track, or is the issue elsewhere?
