Thursday, July 16, 2015

PSExec - Access is denied

Solution: PSExec - Access is denied

Symptoms:
Using Microsoft Powertool "PSExec" to execute a program on a remote server. This message is displayed on the source computer: Access is denied

Solution:
On the Remote (destination) server or workstation, the calling credentials must be in that machine's Administrator's group.

1.  On the remote server, see Windows Control Panel, Administrative Tools, Computer Management

2.  Still on the remote server, in Computer Management, under Users and Groups, add the userID to the Administrator's Group.  This is the source-machine's User-ID/Credentials (the machine launching PSExec).

On the remote server,
You do not need to build Shares, but they are handy to shrink path-lengths
You do not need to grant the remote ID "Execute" rights within the share
You do not need to worry about turning on File Sharing
Do not bother installing PSExec on the remote machine

This is regardless of whether -u and -p parameters are used.  Because the user is in the Administrator's group, it gets all of these rights, regardless.  To my knowledge, you cannot bypass the Administrator requirement.


Discussion:
The local PSExec temporarily installs a service at the remote machine and because it is building a new service "on-the-fly," it needs to have Administrative rights.  Because you have to grant Administrative rights, the elevated privileges trump all other rights.

The program literally copies a file, psexecsvc to the remote server's Admin$ share and starts the service on that device.  When the command completes, the service is de-installed.



Other helpful hints:

*  On the Source computer, copy PSExec.exe into C:\Windows\System32 so it will be on the path
*  On the Source computer, launch PSExec.exe with no parameters at least one time to approve the Legal-accept screen

Example, as typed on the Source machine:

psexec.exe  \\RemoteServerName  \\RemoteServerName\Share\Path\program.exe
psexec.exe  \\RemoteServerName  "C:\Program Files (x86)\program.exe"  param-1  param-2
psexec.exe -acceptULA \\RemoteServerName  "C:\Program......"  (etc.)

Different credentials can be used.  Naturally, this account must be defined in AD or as a local account on the remote server:

psexec.exe -u myaccountname -p mypassword   \\RemoteServerName  "C:\Program....."  (etc.)

use psexec.exe /? for additional help and parameters.


What is PSExec:

This is a tool developed by the talented Mark Russinovich, now of Microsoft, that allows system administrators to execute programs on a remote computer, without having to have direct control of the desktop or without using a remote console.  This is also known as Windows SysInternals or formerly "power toys".  The "ps" refers to similar Unix system commands.

When the remote program runs, it runs *on* the remote computer -- not from the calling computer. 

For example, this command retrieves the ipconfig.exe program from the remote computer and runs it on your local CPU -- giving you your machine's IP configuration -- probably not what you wanted.

\\RemoteServerName\Share\ipconfig.exe

while: 
psexec.exe  \\RemoteServerName  "ipconfig.exe"

runs on the remote server, getting the remote server's IP Config information and displays the results on your local computer.

Downloading PSExec

Download the program directly from Microsoft as a ZIP file.  An install is not required. 

From www.Microsoft.com, search for "PSTools" or "PSExec". 
Download the ZIP file.  
Open the ZIP and copy PSExec to C:\Windows\System32 or another directory of your choice. 
An install is not required.

It is helpful to have this program on the local workstation's path.  You do not need to install the program on the remote servers.


No comments:

Post a Comment

Comments are moderated and published upon review.