Author |
Message |
seanc217
Joined: 23 May 2007 Posts: 272
|
|
connecting to windows issue on mutli-platform edition. |
|
Hi I am running multi-platform edition 255.
I tried issuing the following from the command prompt on the agent I am having trouble connecting to:
D:\Program Files\24x7_Scheduler>runas.exe yesbank\srv_etl <password> c:\windows\notepad.exe
RunAs version 2.2.3
Copyright (c) 2003-2008 SoftTree Technologies, Inc.
Logging in as yesbank\srv_etl...
Setting user environment...
Logged in. Impersonating...
Starting process c:\windows\notepad.exe...
Error #1314: A required privilege is not held by the client.
Note: User account running RunAs must be assigned "Act as part of the operation
system" rights and also have "Create token" rights. User account used to run the
process must be assigned "Logon as a batch job" rights.
The account has the following local security policy privs in place:
Act as part of the operating system
Create a token object
Log on as a batch job
Log on as a service
Replace a process level token
Please advise on how to correct, this is running on a windows 2003 server.
Thanks.
|
|
Wed Aug 06, 2008 7:46 pm |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006 Posts: 7849
|
|
|
|
It looks like you are using domain user account for login and remote job run, not a local account. As such the privileges should be granted to the domain user.. I am not sure which user account you use to run the agent.
In case you also have a local account named srv_etl, try
runas.exe .\srv_etl <password> c:\windows\notepad.exe
Note that if you manager to start Notepad this way, you are not going to see it on the screen, yet it should still appear in the Task Manager. You can kill it from there.
|
|
Wed Aug 06, 2008 8:00 pm |
|
|
seanc217
Joined: 23 May 2007 Posts: 272
|
|
|
|
Yes I am using a domain account and it has the privs listed above assigned to it.
What else am I missing?
I do not have a local account to run this against.
Thanks.
|
|
Wed Aug 06, 2008 9:22 pm |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006 Posts: 7849
|
|
|
|
|
|
local security policy privs |
You said that this account has been granted local policies. Local policies are superseded by domain policies for domain user accounts, so the local settings aren't effective for the domain user. You should grant these privileges to the domain user using Active Directory tools after which have the user re-login to the system
|
|
Wed Aug 06, 2008 10:18 pm |
|
|
seanc217
Joined: 23 May 2007 Posts: 272
|
|
|
|
I got passed the problem by adding the policy "Access thi computer from the network" priv, but when I try to run a bat job now I get the following error:
"Create process error. Extended error: Error #5: Access is denied."
Please advise
Sean
|
|
Thu Aug 07, 2008 9:45 am |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006 Posts: 7849
|
|
|
|
The process runs in the context of the specified user as a batch job. In that context the process either cannot be started or it attempts to perform some operation on the startup that leads to Access denied error. The error comes from the operation system.
I suggest to check first if the process accesses any network resources, for example network shares. you can also check the Windows Security Event log for additional error messages, it can help to identify access to which resource(s) has been denied.
|
|
Thu Aug 07, 2008 10:13 am |
|
|
seanc217
Joined: 23 May 2007 Posts: 272
|
|
|
|
OK this was just a simple bat file I was trying to run.
In the bat file was just an echo statement.
|
|
Thu Aug 07, 2008 10:15 am |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006 Posts: 7849
|
|
|
|
I guess the selected domain account doesn't currently have sufficient permissions to run batch jobs on that system. Please review the account security settings and adjust as required.
|
|
Thu Aug 07, 2008 10:29 am |
|
|
seanc217
Joined: 23 May 2007 Posts: 272
|
|
|
|
I am review now with our sysadmin.
I will update with what we find out when we get it to work.
Thanks!
|
|
Thu Aug 07, 2008 10:42 am |
|
|
seanc217
Joined: 23 May 2007 Posts: 272
|
|
|
|
Hi there,
Just an update.
We are not able to make this work unless we set the account to be administrator on the box.
For obvious reasons we do not want to do this.
Is there anyone there that could help us out in trying to troubleshoot this issue so we can set the permissions it needs?
Thanks,
Sean
|
|
Fri Aug 08, 2008 10:41 am |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006 Posts: 7849
|
|
|
|
The solution is quite simple. Don't use the same account to run the agent and jobs. Use admin account with sufficient privileges for the agent. Use low privileged account to run jobs. The low privileged account only needs to have "logon as a batch job" privilege.
The described above is a kind of standard implementation.
There are exist many other ways for starting a remote process, but they are less secure and more complicated. For example using 24x7 RAS agent, FTP server and JavaScript job, Telnet, SSH, etc…
|
|
Fri Aug 08, 2008 10:53 am |
|
|
seanc217
Joined: 23 May 2007 Posts: 272
|
|
|
|
Hi there as always thanks for you prompt respsones.
We are running the agent as a service which uses the local system account when running. I believe this has administrative access by default.
We are trying to use a domain account to run the jobs. Under this configuration we are getting the access denied error.
We even tried a local account to run the jobs and still get the error. The only time we can get it to run is when we make the user part of the administrators group, which we do not want to do.
|
|
Fri Aug 08, 2008 12:01 pm |
|
|
SysOp
Site Admin
Joined: 26 Nov 2006 Posts: 7849
|
|
|
|
LocalSystem by default doesn't have all needed privilege. Unfortunately it is a common misconnect to assume that admin accounts have all types of possible privileges, they are not. Moreover LocalSystem has very significant security limitations that affect all processes started fro ma service. You likely don't want to use LocalSystem because all the jobs will be contained to the local system and will not be able to access any network resources (files, shares, emails, databases, etc.... ) Perhaps this explains why you are getting "Access denied" errors.
Pick either a domain account to run the agent service, or something like NetworkService, domain admin account, or some other special accounts that can start services before interactive logon and still be able to access network resources.
For more info, please take a look at http://msdn.microsoft.com/en-us/library/ms677948.aspx and http://msdn.microsoft.com/en-us/library/ms684190.aspx and related documents referenced there.
|
|
Fri Aug 08, 2008 2:21 pm |
|
|
seanc217
Joined: 23 May 2007 Posts: 272
|
|
|
|
OK so what privs will the account need?
That's what we are trying to figure out.
I have tried running the service under my domain account. I have admin privs on the box.
Yet when I run the runas command on the agent, it cannot create the process. Login is working just fine.
I have set the permissions on the folders and directories so that the accounts have full access to them.
How can we debug this and maybe get a little more detail on what we need to do?
Thanks!
|
|
Fri Aug 08, 2008 2:50 pm |
|
|
seanc217
Joined: 23 May 2007 Posts: 272
|
|
|
|
Does the scheduler make use of the registry?
Maybe it's trying to access the registry when you kick off runas?
|
|
Fri Aug 08, 2008 3:27 pm |
|
|
|