|
PSExec: Access denied when using explicit logon |
Post Reply 
|
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
branded 
Newbie 
Joined: 05 January 2009 Online Status: Offline Posts: 7 |
 Post Options
 Quote Reply
 Topic: PSExec: Access denied when using explicit logonPosted: 14 January 2009 at 4:02pm |
|
Hello,
I'm having a very strange issue. I am attempting to remotely run a command; lets call it c:\windows\system32\notepad.exe. However, I consistently get Access Denied when I am running psexec when logged on as a non-local administrator on the source machine, and a non-local administrator on the target; even when using explicit -u -p to specify a local administrator on the target.
The user domain\remotemachineadmin is a local administrator on the target machine. This strikes me as very odd as the purpose of psexec is to assume another user's rights on the target machine. Note that it doesn't matter if domain\remotemachineadmin is a local administrator on the source machine. If I log on to the source machine as domain\remotemachineadmin, psexec will run the specified command. Does anyone have any ideas? Thanks! [edit] I have just verified that adding the user that was previously not a member of the local Administrators group on SERVER allows the stated psexec line to be executed.  Makes no sense. Am I going to have to use PSExec to use PSExec?[solution] below Edited by branded - 14 January 2009 at 7:31pm |
|
 |
|
|
PingSpike
Newbie
Joined: 14 January 2009 Online Status: Offline Posts: 3 |
Post Options
Quote Reply
Posted: 14 January 2009 at 4:52pm |
|
This almost sounds like the same thing oakley (and then myself, although I still have to do more tests) seem to have enountered. His thread was bumped by me.
I was actually just thinking of using runas with psexec to try and work around this myself. :P
|
|
|
|
|
branded
Newbie
Joined: 05 January 2009 Online Status: Offline Posts: 7 |
Post Options
Quote Reply
Posted: 14 January 2009 at 5:06pm |
|
Humm... I'm curious if this is a feature. I think it may be.
 Anyway: Here's my work around, get ready for the slop:
-c (close after done) -hide (hide cpau window) > NUL (redirects to cmd line NUL to silence output of notepad.exe) The trick is to change security context (change user) on the local machine and have that user execute the psexec command. runas doesn't allow you to pipe the password (because you can't handle that feature). Although, with runas, you would be able to /savecred, which places the password int he local secure password store (which probably can be brute forced and is less secure than piping the password in each time the program is run). I was really trying to avoid using cpau. I know an older version of psexec allows you to do what we want, since I had used it as such. I'm awaiting word back from some people with larger brains than me (although my question may never get answered), so that I can just write my own vbscript. Edited by branded - 15 January 2009 at 1:11am |
|
|
|
|
PingSpike
Newbie
Joined: 14 January 2009 Online Status: Offline Posts: 3 |
Post Options
Quote Reply
Posted: 14 January 2009 at 11:55pm |
|
Ah, thanks! Your workaround is working for me as well. It seems to have also resolved the issue I had for when psexec had started working where it overrode the cached credentials on the machine used for network shares and instead used the remote admin accounts credentials. I still don't know what the trigger was that caused psexec to start working.
I wonder if using an older version of psexec would work, it seems like this is a bug with psexec...perhaps it was recently introduced? |
|
|
|
|
msacademy
Newbie
Joined: 13 February 2009 Online Status: Offline Posts: 1 |
Post Options
Quote Reply
Posted: 13 February 2009 at 2:32pm |
|
I had the same issue with psexec. I did a packet trace and found the error was a denial of having access to ADMIN$ (the Windows folder share) on the target box. If you run admin to admin, it works.
|
|
|
KINGAS400
|
|
|
|
|
j153c
Newbie
Joined: 17 February 2009 Location: Seattle, WA Online Status: Offline Posts: 2 |
Post Options
Quote Reply
Posted: 17 February 2009 at 10:56pm |
|
I spent a great deal of time hitting my head against the wall with this issue. If you insert a cached credential, then you should be set. CMDKEY is the easiest way to do this and is included in the OS.
Example: cmdkey.exe /add:<targetname> /user:<username> /pass:<password> psexec.exe \\<targetname> <remote_command> ... cmdkey.exe /delete:<targetname> -jc |
|
|
|
|
mbrowndcm
Newbie
Joined: 12 December 2008 Online Status: Offline Posts: 8 |
Post Options
Quote Reply
Posted: 18 February 2009 at 12:48am |
Thanks! In my situation, I had to first change user context to be a user that is a local administrator on the remote machine. Are you stating that cmdkey will store credentials to be used like this? I expect that the process may be copied to ADMIN$, but is then executing using DCOM or WMI. Edited by mbrowndcm - 18 February 2009 at 12:59am |
|
|
|
|
Post Reply
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
