psexec Access denied

[zino]

if I run the following from the command line as:
C:\PsTools>psexec -u domain\myUser -p myPassword -i \\remoteServer cmd.exe
it run successfully and it opens the command window on the remote server


if I try to run this same command from an asp net web page from the same
server as :
Dim p As New System.Diagnostics.Process
Dim pi As New System.Diagnostics.ProcessStartInfo
pi.FileName = "C:\PsTools\psexec.exe"
pi.Arguments = " -u domain\myUser -p myPassword \\remoteServer cmd.exe -i"
p.StartInfo = pi
pi.UseShellExecute = True
p.Start()

I get "Access denied" error.

user "myUser" is a domain account, and has administrator privilege on both
servers (the local where the command is issued and the remote server)



thanks for help

 

[zino]

I got it to work. I was mistaken.
"myUser" did not have an administartor privilege on the source server, then
the "Access denied" error message was coming from the source server and not
the remote one.

now it runs with no error, but nothing happens on the remote sever, I don't
see the command line window neither the cmd process in task manager.

 

[Jeffrey Tan[MSFT]]

Hi Zino,

First, although Microsoft has acquired sysinternals site, the sysinternals
tools are not official supported yet. Anyway, I will try my best to help
you.

What account does your Asp.net process execute? As I know, Asp.net executed
under the network service account by default which does not have enough
permission to call Psexec tool for this task. This is because Psexec tool
needs administrator privilege to install a windows service to perform some
magic task.

I would recommend you to config the Asp.net to run under the local
administrator account to try it again. Also, in the remote machine, you'd
better use Process Explorer to check the processes list instead of Task
Manager, since Process Explorer has a better view for finding process.

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[zino]

Hi Jeffrey,

thank you for your reply.
The Asp.net application is running as :
<authentication mode="Windows"/>
<identity impersonate="true"/>
and I'm the one running the asp page and I'm administrator on both servers.

but to my understanding that by supplying the switch (-u domain/myUser -p
myPassword), the PSEXEC will execute under this supplied account regardless
what the Asp.net process is running under. Isn't that correct ?

Anyway, I solved it by supplying the switch "-accepteula" to PSEXEC, which
made the "notepad.exe" process shows up in the task manager on the remote
server, but I need it to be open interactively on the desktop since I'm
supplying "the "-i" switch, and plus, the PSEXEC process now, stay alive in
memory and I have to use the PSKILL utility to kill it unless you have other
solution to take it out.
(process.Close() is not working)


thank you again

 

[Jeffrey Tan[MSFT]]

Hi Zino,

Glad to see you have resolved the problem youself. Oh, it seems that your
problem is caused by the EULA dialog popped up by Psexec.

To tell psexec to terminate immediately after creating the remote process,
you may pass "-d" switch to Psexec.

As I know, the account executing the Psexec tool does matter. "-u" switch
merely "Specifies optional user name for login to remote computer". More
specific, "-u" switch just provides username/password to allow Psexec to
WNetAddConnection2(maybe) API to establish a connection to the remote
machine and launch remote process there. So username/password pair in "-u"
switch is not used on local machine.

On local machine, the Psexec file will create a local windows service to
perform all the detailed real work, so if the running account has no enough
permission, it will fail to install the windows service, so your Asp.net
running thread/process must running with enough permission account token.

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[zino]

thank you for help.
your before last post (I did not understand the last one) shed some light on
some things I wasn't aware of.

 

[Jeffrey Tan[MSFT]]

Hi Zino,

Sorry for the late response. I am out of office these days.

The last reply looks like a spammer robot by some malicious people, since
it is not posted by me. Our team have seen a lot of spams in the newsgroup
these days using our signature and email addresses.

Anyway, you may ignore it. If you need further help, please feel free to
post. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.