How To: Allow the system account to use shared directories on remote computers


When a Windows service uses the system account to access resources, the service logs on with a set of null credentials. This is often a problem when attempting to utilize network resources that require a valid user. For example, utilizing mapped drives is only possible with valid non-null users; therefore, the system account cannot access mapped drives. There is, however, a method to enable the use of UNC paths. In Windows NT 4.0 and Windows 2000, there is a Server service registry parameter that allows you to specify by name which shares the system account can access. The registry NullSessionShares parameter allows you to specify lists of share names that can be accessed by the system account on any machine. The only shares a service using the system account can access are those listed in the NullSessionShares parameter. By default, no shares are accessible by the system account. The system administrator can add the names of shares the service needs access to the NullSessionShares parameter on servers where those shares exist.


The following edits will allow the use of UNC paths in AXL files and ArcIMS server configurations when the services use the system account.

This solves two problems in ArcIMS 3.0, and one problem in ArcIMS 3.1:

  • ArcIMS 3.0 - By default, the services for IIS are configured to run under the system account; this cannot be changed. As a result, the Web server cannot use a mapped drive or UNC path to access information. In ArcIMS 3.0, this will result in a 'Retrieving Data' error, in an HTML viewer client, if the formFilePath variable uses a mapped drive or UNC path relative to the IIS Web server. These edits will allow the formFilePath to be set to a UNC path. For example, formFilePath = ""\\\\SERVER1\\ArcIMS\\Website\\htmlsite".
  • ArcIMS 3.0 and 3.1 - Starting the ArcIMS services, using the system account and 'Interact with Desktop' enabled, allows the ArcIMS administrator to view the Application Server console window. This can be used to monitor communication on the ArcIMS server and troubleshoot problems. Unfortunately, starting the ArcIMS services using the system account limits access to network resources.
The ArcIMS services is set up to start using the System Account on a machine named SERVER1. The data to be accessed is on another machine named DATA1, in a directory on the C: drive shared as DATADIR. In order to enable a system account, in this case the system account on SERVER1, to see the directory \\DATA1\DATADIR, do the following on the DATA1 machine:
The instructions below include making changes to essential parts of your operating system. It is recommended that you backup your operating system and files, including the registry, before proceeding. Consult with a qualified computer systems professional, if necessary.

Esri cannot guarantee results from incorrect modifications while following these instructions; therefore, use caution and proceed at your own risk.
  1. Open theWindows Registry. Click Start > Run, type REGEDT32 and press Enter.
  2. Expand HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > LanmanServer > Parameters.
  3. Double-click the NullSessionShares key on the right pane.
  4. On a new line of the Multi_String Editor, type the name of the share you want to be accessible by the system account (null session). For example, DATADIR.
  5. Click OK and close the Registry Editor.
  6. Reboot the system.
  7. Restart the ArcIMS services on SERVER1.
Be very careful not to change anything in the registry except for the entries indicated. You can seriously compromise the integrity of your operating system by changing the wrong entries. 
By default, a shared resource configured in this manner is not secure. Be sure to follow safety guidelines when working with null session shares, such as the following:
  • Define specific user permissions on the directory and its contents.
  • Don't share the disk that has system files. Share only data disks.
  • Shares can be hidden from curious browsers by adding a "$" to the end of the share name.
  • It is possible to hide a server from browser lists and to disconnect idle connections automatically:
net config server /hidden:yes /autodisconnect:120 

Related Information