connecting to windows issue on mutli-platform edition.

Hi I am running multi-platform edition 255.

I tried issuing the following from the command prompt on the agent I am having trouble connecting to:

D:\Program Files\24x7_Scheduler>runas.exe yesbank\srv_etl <password> c:\windows\notepad.exe

RunAs version 2.2.3
Copyright (c) 2003-2008 SoftTree Technologies, Inc.

Logging in as yesbank\srv_etl...
Setting user environment...
Logged in. Impersonating...
Starting process c:\windows\notepad.exe...
Error #1314: A required privilege is not held by the client.

Note: User account running RunAs must be assigned "Act as part of the operation
system" rights and also have "Create token" rights. User account used to run the
process must be assigned "Logon as a batch job" rights.

The account has the following local security policy privs in place:

Act as part of the operating system
Create a token object
Log on as a batch job
Log on as a service
Replace a process level token

Please advise on how to correct, this is running on a windows 2003 server.

Thanks.

It looks like you are using domain user account for login and remote job run, not a local account. As such the privileges should be granted to the domain user.. I am not sure which user account you use to run the agent.

In case you also have a local account named srv_etl, try

runas.exe .\srv_etl <password> c:\windows\notepad.exe

Note that if you manager to start Notepad this way, you are not going to see it on the screen, yet it should still appear in the Task Manager. You can kill it from there.

Yes I am using a domain account and it has the privs listed above assigned to it.
What else am I missing?

I do not have a local account to run this against.

Thanks.

	Quote:
	local security policy privs

You said that this account has been granted local policies. Local policies are superseded by domain policies for domain user accounts, so the local settings aren't effective for the domain user. You should grant these privileges to the domain user using Active Directory tools after which have the user re-login to the system

I got passed the problem by adding the policy "Access thi computer from the network" priv, but when I try to run a bat job now I get the following error:

"Create process error. Extended error: Error #5: Access is denied."

Please advise

Sean

The process runs in the context of the specified user as a batch job. In that context the process either cannot be started or it attempts to perform some operation on the startup that leads to Access denied error. The error comes from the operation system.

I suggest to check first if the process accesses any network resources, for example network shares. you can also check the Windows Security Event log for additional error messages, it can help to identify access to which resource(s) has been denied.

OK this was just a simple bat file I was trying to run.
In the bat file was just an echo statement.

I guess the selected domain account doesn't currently have sufficient permissions to run batch jobs on that system. Please review the account security settings and adjust as required.

I am review now with our sysadmin.
I will update with what we find out when we get it to work.

Thanks!

Hi there,

Just an update.
We are not able to make this work unless we set the account to be administrator on the box.
For obvious reasons we do not want to do this.

Is there anyone there that could help us out in trying to troubleshoot this issue so we can set the permissions it needs?

Thanks,

Sean

The solution is quite simple. Don't use the same account to run the agent and jobs. Use admin account with sufficient privileges for the agent. Use low privileged account to run jobs. The low privileged account only needs to have "logon as a batch job" privilege.

The described above is a kind of standard implementation.

There are exist many other ways for starting a remote process, but they are less secure and more complicated. For example using 24x7 RAS agent, FTP server and JavaScript job, Telnet, SSH, etc…

Hi there as always thanks for you prompt respsones.

We are running the agent as a service which uses the local system account when running. I believe this has administrative access by default.

We are trying to use a domain account to run the jobs. Under this configuration we are getting the access denied error.
We even tried a local account to run the jobs and still get the error. The only time we can get it to run is when we make the user part of the administrators group, which we do not want to do.

LocalSystem by default doesn't have all needed privilege. Unfortunately it is a common misconnect to assume that admin accounts have all types of possible privileges, they are not. Moreover LocalSystem has very significant security limitations that affect all processes started fro ma service. You likely don't want to use LocalSystem because all the jobs will be contained to the local system and will not be able to access any network resources (files, shares, emails, databases, etc.... ) Perhaps this explains why you are getting "Access denied" errors.

Pick either a domain account to run the agent service, or something like NetworkService, domain admin account, or some other special accounts that can start services before interactive logon and still be able to access network resources.

For more info, please take a look at http://msdn.microsoft.com/en-us/library/ms677948.aspx and http://msdn.microsoft.com/en-us/library/ms684190.aspx and related documents referenced there.

OK so what privs will the account need?

That's what we are trying to figure out.
I have tried running the service under my domain account. I have admin privs on the box.

Yet when I run the runas command on the agent, it cannot create the process. Login is working just fine.
I have set the permissions on the folders and directories so that the accounts have full access to them.

How can we debug this and maybe get a little more detail on what we need to do?

Thanks!

Does the scheduler make use of the registry?
Maybe it's trying to access the registry when you kick off runas?