Explanation of the Ghost service account

Article:TECH107390  |  Created: 2000-01-25  |  Updated: 2006-01-03  |  Article URL http://www.symantec.com/docs/TECH107390
Article Type
Technical Solution

Environment

Issue



You want to know what the Ghost service account is and why Ghost needs it.


Solution



During installation, Ghost adds a new user account to the Windows domain or to the Active Directory. This is known as the service account or the Ghost Configuration Server account. The Ghost service file is NGServer.exe.


Note: Ghost cannot give the service account the appropriate rights on Windows NT, Windows 2000, and Windows XP computers unless you are logged in as a Domain Administrator while performing the Ghost installation.


Why Ghost needs the service account
This account provides the Ghost service with the rights necessary for adding computers to the domain or Active Directory.

That is, when you write a Windows NT image, Windows 2000 image, or Windows XP image to a client computer and then restart the client computer, that client computer cannot join the domain or Active Directory unless it has a domain or Active Directory account. Provided the Ghost service account has the appropriate rights, the service adds an account for each client computer after cloning.

The client computer must be added to the domain or Active Directory after cloning because you cannot create an image file of a computer that is already a member of the domain or Active Directory, and then have the client successfully join the domain after cloning.

User name and password for the service account
The service account requires a user name and password so that it can load into memory and perform its functions. By default, the user name is GHOST_xxxxxxxx, where xxxxxxxx is the first eight characters of the computer name.

You specify the user name and password during the Ghost installation. Use the default user name, or specify a new user name.


WARNING: Do not replace the user name with the name of an existing user account. To increase security, the service account has no local log-on capability. For this reason, if you specify an existing user account as the name of the Ghost service account, the existing user account will no longer have sufficient rights to log on to the computer. In addition, the Ghost Console can modify or delete the service account which can generate problems if the account is also an administrator account.


Location of image files on Windows NT/2000/XP-based computers
The Ghost service has only those rights that are assigned to it during Ghost installation. By default, Ghost does not have read and write access to specific folders on the hard disk, such as the My Documents folder. Because of this, Ghost cannot access images saved in those folders unless the folder's properties are edited to add the Ghost service account with read and write access.

Rights for Ghost service account
The following are the domain rights required for the Ghost user service account:
  • DELETE
  • READ_CONTROL
  • WRITE_DAC
  • WRITE_OWNER
  • DS_CREATE_CHILD
  • DS_DELETE_CHILD
  • ACTRL_DS_LIST
  • DS_SELF
  • DS_READ_PROP
  • DS_WRITE_PROP
  • DS_DELETE_TREE
  • DS_LIST_OBJECT
  • DS_CONTROL_ACCESS


Note: Symantec does not provide technical support on creating this script. For an example of a script, refer to the \Ghost\Extras\Source folder on the Symantec Ghost CD.





References
Additional information

How to start and stop the Ghost service




Legacy ID



2000092516563525


Article URL http://www.symantec.com/docs/TECH107390


Terms of use for this information are found in Legal Notices