While I'm using PSEXEC.exe getting 'Access denied' error for remote systems.
Any idea about how to solve this?
Hi i am placing here a summary from many sources online for various solutions to "access is denied" :
most information can be found here (including requirements needed) - sysinternal help
as someone mentioned add this reg key, and then restart the computer :
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
/v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Read this knowledge base article to learn what this does and why it is
needed
Disable firewall (note - this will leave you with out any firewall
protection)
netsh advfirewall set allprofiles state off
if target user has a blank PW and you dont want to add one, run on target:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LimitBlankPasswordUse"=dword:00000000
This didnt work for me, but i have read it did for others in a few places,
on target execute:
Start -> Run -> secpol.msc -> Local Policies -> Security Options -> Network Access: Sharing > and security model for local accounts > Classic – local users authenticate as themselves
if already in 'Classic':
move to "Guest only - .." run from elevated command prompt gpupdate \force
move back to 'Classic - .." again run from elevated command prompt gpupdate \force
This one solved my issue:
run on target from elevated command prompt "net use" look at ouput chart and for shares listed in remote column there (i only deleted the disconnected ones - you can try them all) run "net use [remote path from before list] /delete" then run 'net use \target\Admin$ /user:[user name]' enter prompt password request (if empty PW just press enter), viola should work.
I just solved an identical symptom, by creating the registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy and setting it to 1. More details are available here.
This helped in my case:
cmdkey.exe /add:<targetname> /user:<username> /pass:<password>
psexec.exe \\<targetname> <remote_command>
PsExec has whatever access rights its launcher has. It runs under regular Windows access control. This means whoever launched PsExec (be it either you, the scheduler, a service etc.) does not have sufficient rights on the target machine, or the target machine is not configured correctly. The first things to do are:
Make sure the launcher of PsExec is familiar to the target machine, either via the domain or by having the same user and password defined locally on both machines.
Use command line arguments to specify a user that is known to the target machine (-u user -p password)
If this did not solve your problem, make sure the target machine meets the minimum requirements, specified here.
You can try the command
net use \\computername\ipc$ /user:adminname password
to get admin permissions on remote PC before use psexec.
I had the same problem. And after a hard work, I found a easy and full solution:
I use runas to run the script in a admin account
I use the -s parameter in psExec to run in a system account
Inside the PsExec, I login again with a admin account
You can use & to run multiples commands
Remember to replace [USERNAME], [PASSWORD], [COMPUTERNAME], [COMMAND1] and [COMMAND2] with the real values
The code looks like this:
runas /user:[USERNAME] "psexec -e -h -s -u [USERNAME] -p [PASSWORD] \\[COMPUTERNAME] cmd /C [COMMAND1] & [COMMAND2]"
If you whant to debug your script in the another machine, run the following template:
runas /user:[USERNAME] "psexec -i -e -h -s -u [USERNAME] -p [PASSWORD] \\[COMPUTERNAME] cmd /C [COMMAND1] & [COMMAND2] & pause"
Try setting this key on the target (remote) machine, and restart the machine:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001
See: http://forum.sysinternals.com/topic10924.html and http://www.brandonmartinez.com/2013/04/24/resolve-access-is-denied-using-psexec-with-a-local-admin-account/
I just added "-с" parameter. It makes Psexec copy executable to remote machine. So it works without access errors.
I found Sophos kept placing psexec.exe into the Quarantine section. Once I authorized it, it ran fine.
I still use psexec, even on win 10. Replace the psexec.exe in the Windows 10's win32 folder with the older version to work -> I use version 2.11.0.0. The Windows 10 version I was using would only run .bat files as background/hidden process on the remote computer. Took a whole day to figure this out.
Adding the registry key from above to the remote computer helps as well:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
I found another reason PSEXEC (and other PS tools) fail - If something (...say, a virus or trojan) hides the Windows folder and/or its files, then PSEXEC will fail with an "Access is Denied" error, PSLIST will give the error "Processor performance object not found on " and you'll be left in the dark as to the reason.
You can RDP in; You can access the admin$ share; You can view the drive contents remotely, etc. etc., but there's no indication that file(s) or folder(s) being hidden is the reason.
I'll be posting this information on several pages that i was perusing yesterday while trying to determine the cause of this odd problem, so you might see this elsewhere verbatim - just thought I'd put the word out before anyone else pulled their hair out by the roots trying to understand why the performance counter has anything to do with PSEXEC running.
I had a case where AV was quarantining Psexec - had to disable On-access scanning
For anybody who may stumble upon this. There is a recent (Dec 2013) Security Update from Microsoft Windows on Windows 7 that is preventing remote execution.
See http://support.microsoft.com/kb/2893294/en-us
I uninstalled the Security Update by going to Control Panel\Programs\Programs and Features\Installed Updates
It worked right after that.
The following worked, but only after I upgraded PSEXEC to 2.1 from Microsoft.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001 See:
http://forum.sysinternals.com/topic10924.html
I had a slightly older version that didn't work. I used it to do some USMT work via Dell kace, worked a treat :)
On Windows Server 2012 R2 I had trouble to run from user account
psexec -u administrator -p password \\machinename -h -s -d -accepteula cmd.exe
But it works fine if you run without parameters -h -s. That's why I use this to solve my trouble:
psexec -accepteula -u administrator -p password \\machinename %PathToLocalUtils%\psexec.exe -h -s -d cmd.exe
I couldn't get access to remote machines unless I had UAC disabled.
That has to be done locally, either from control panel or running the following through cmd:
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
While UAC is enabled, make sure you run cmd as administrator.
For a different command I decided to change the network from public to work.
After trying to use the psexec command again it worked again.
So to get psexec to work try to change your network type from public to work or home.
I tried a lot of way but I could not use psexec. It gives "Access denied". After I change the target user account type from Standard to Admin, I connected the machine via psexec.
I researched the reason why admin type account is required then I found this answer.
You can change target machine user account this way: Control Panel -> User Accounts -> Change Account Type. You must enter an admin account and password to change that account if you logged in standard account.
After that I logged in with this command: psexec \\remotepcname -u remoteusername -p remotepassword cmd
Tried all suggestions above, but still was unable to resolve the error. Finally once I made the below change, I could successfully run the PSexec command.
Turns out that when you have UAC enabled psexec does not work as supposed. We need to set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA to 0 then psexec starts working as expected.
I am using msdeploy to deploy codes to dev server. this morning it stops working. and I am getting ERROR_USER_NOT_ADMIN. nothing changed, at least not that I know of.
abc\jqin, this user is a domain account, its a local admin. why am I still getting ERROR_USER_NOT_ADMIN
Deploy: "C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe"
-verb:sync -source:package="C:\NetBuild\Packages\IRViewerSvc\IRViewerSvc.zip" -dest:iisApp=IRViewerSvc,computerName=tvw-irwebsvc,username="abc\jqin",password=********
Info: Using ID '51e98b9d-456e-4c7e-8f1a-c696c240f431' for
connections to the remote server. EXEC : error Code:
ERROR_USER_NOT_ADMIN [C:\NetBuild\BuildScript\IRViewerSvc.build]
More Information: Connected to 'tvw-irwebsvc' using the Web Deployment
Agent Service, but could not authorize. Make sure you are an
administrator on 'tvw-irwebsvc'. Learn more at:
http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_NOT_ADMIN.
Error : The remote server returned an error : (401) Unauthorized.
[C:\NetBuild\BuildScript\IRViewerSvc.build] EXEC : error count: 1.
[C:\NetBuild\BuildScript\IRViewerSvc.build]
C:\NetBuild\BuildScript\IRViewerSvc.build(71,5): error MSB3073: The
command ""C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe"
-verb:sync -source:package="C:\NetBuild\Packages\IRViewerSvc\IRViewerSvc.zip" -dest:iisApp=IRViewerSvc,computerName=tvw-irwebsvc,username="abc\jqin",password=********"
exited with code -1. Done Building Project
"C:\NetBuild\BuildScript\IRViewerSvc.build" (deploy target(s)) --
FAILED.
Try search mmc and run it click on File add or remove snap-ins, select Local Users and Groups hit ok.
Click on the User uncheck everything and check only Password never expires.
Now go to Groups add new group if it does not exists MSDepSvcUsers, Double click on it and add your User as a member.
Go to Services and restart the Web Deployment Agent Service.
Now try and run your MSDeploy.
I hope this was helpful.
Trosago
The NetLogon solution posted here didn't work on our AWS EC2 Windows Server 2019 instances because of the following:
This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
The MSDepSvcUsers solution posted here didn't work completely either:
[16:19:20] Error: (2/10/2020 5:19:20 PM) An error occurred when the request was processed on the remote computer.
[16:19:20] Error: An error occurred when reading the IIS Configuration File 'MACHINE/REDIRECTION'. The identity performing the operation was 'EC2AMAZ-ABCDEFG\SomeUserName'.
[16:19:20] Error: Filename: \\?\C:\Windows\system32\inetsrv\config\redirection.config
[16:19:20] Error: Cannot read configuration file due to insufficient permissions
As noted here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/083efb2e-d087-4a03-9f6a-662a218cacf8/machineredirection-error?forum=tfsgeneral
Adding the Read & execute and Read access to the folder containing the redirection.config file for the user doing the deploy didn't fix the issue, but adding read permissions for the NETWORK SERVICE user on that same folder did.
I recently encountered an interment problem where builds were failing with ERROR_USER_NOT_ADMIN.
This was after an OS upgrade to Windows 2016.
The error from MsDeploy was not entirely correct in our situation and we noticed that if the deployment user was remoted onto the server the deploy would complete successfully.
Upon looking at the event log I noticed that there was an error stating that the deployment account failed to logon with a reason 'The NetLogon component is not active.'
Sure enough, the NetLogon service was stopped. Starting it meant the deployments worked again.
I have a file that I want to transfer to a remote machine that is running W7 32 bit
I have a script that enables me to push the file to the machine from a linux management server, using a combination of:
1) smbclient to mount the Admin share on the W7 machine
2) winexe to move the file to the location I require
This leaves me with the file in the correct location, but owned by the Admin user - whereas I need it to be editable by a standard user, User1
I have been trying to resolve this by using icacls
Using winexe I can run this remotely on the W7 machine. Initially I tried setting the poermissions to "Full" for the user account:
icacls c:......\myFile /grant User1:F
Checking this from the command line showed that it had apparently worked:
icacls c:......\myFile
c:......\myFile User1:(F)
However, from the windoes desktop, the file properties dialogue showed User1 having only read permissions, and anything else gave access denied.
My next attempt was:
icacls c:......\myFile /setowner User1
However, when logged in to the windows desktop as User1, attempting to delete or edit the file now tells me that doing so requires permission from User1....which is a bit peverse, since I am logged in as User1....
Any ideas?
This may or may not help, but I was unable to delete a file I copied from a Linux machine to a Windows shared folder - was getting a 'need Administrator permission' type error.
I was trying to solve this with the smbclient -c "setmode -r;" option, but when this didn't work I realised the Windows folder itself was set for read-only access for all but Administrator level.
I am getting a "client unknown" error when trying to commit any files from webstorm to perforce. My p4v is configured correctly and works outside of Webstorm and my p4 command line is also correctly configured yet when I use the exact same setup in webstorm I get the client unknown error. My client is setup and correctly copied into perforce. Any idea what might be going on here? Are there logs that will show me a more complete error?
For those who are facing this issue :
Check the "p4 info" output and see if "User name", "Client name" and Client are having correct data.
If they are 'none' / 'unknown', then check or set below environment variables
P4CLIENT
P4USER
P4PORT
P4CLIENT : Should match with your "workspace" name
P4USER : Username to login to perforce
P4PORT : Should have proper URL "HOSTNAME:PORT" of perforce server : Ex: 192.128.10.130:6666
I figured this out finally, though I ran into a new issue.
Resolution: The perforce client P4 (not P4v) has to be installed, and it was but it was not in the correct directory. P4 needs to be installed in your Applications on a Mac and that file needs to be made editable. You will also likely need to change your permissions for that file to allow system read/write access.
To make the file executable once it is in the Applications directory from the command prompt navigate to your applications directory and type: chmod +x p4 (http://www.perforce.com/perforce/doc.current/manuals/p4guide/01_install.html)
Then you can find the file in finder and right click it, the click get info from the context menu. From there at the very bottom will be file permissions. I set them all to read/write. You could also do this from the command line by typing chmod 755 p4 I think but I am not great on the command line so use at your own risk.
As far as your workspace is concerned that should be whatever your workspace is set to in P4V.
At that point if you hit test connection inside Webstorm->preferences->perforce it should work or at least give you a new error with some more information.
Mine was able to connect successfully but now when I try to update a file I get an error saying "path '/users/my-path.....' is not under the client's root '/users/my-path' even though the first path specified is clearly a child of the second path. Still working on this error.
Mine was able to connect successfully but now when I try to update a file I get an error saying "path '/users/my-path.....' is not under the client's root '/users/my-path' even though the first path specified is clearly a child of the second path. Still working on this error.
In my case i resolve this problem -> i had physical way to my files /Users/.... but in perforce i had a root like /users/.... (in lowercase), i change root and its help for me in mac
I am trying to view the dependencies of my website on IIS 6.0 running on windows server 2003. When I type the following command,
msdeploy -verb:getDependencies -source:metakey=lm/w3svc/1
I got the following error:
C:\Program Files\IIS\Microsoft Web Deploy>msdeploy -verb:getDependencies -source
:metakey=lm/w3svc/1
Error: Object of type 'metaKey' and path 'lm/w3svc/1' cannot be created
Error: The metabase key '/lm/w3svc/1' could not be found.
Error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Error count: 1
Can any one explain these to me?
check if a website with Site ID 1 exists (/lm/w3svc/1)
Click on Web Sites node in left pane and check identifier column in right pan (IIS 6)
usman has it... and no, logging in as administrator doesn't take care of running the console in administration mode. Even if you're logged in as an administrator (or THE administrator) you still have to run the console in administrator mode.