SoftTree Technologies Technical Support Forums Register • Search • FAQ • Memberlist • Usergroups • Log in Errors running jobs with non-administrative account Goto page 1, 2, 3  Next      SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite View previous topic View next topic Errors running jobs with non-administrative account Author Message Whatanut Joined: 26 May 2009 Posts: 50 Errors running jobs with non-administrative account On to my next problem... Scenario: - 24x7 Scheduler Mutli-Platform being run interactively with full GUI interface - Interactive account used to launch 24x7 is an administrator on the server (have tried both local administrator and domain administrator) - Interactive account has been granted "Act as part of the operating system", "Create a token object" and "Replace a process level token" privileges - Job is configured to run under a different script runner account - Script runner account has been granted "Log on as a batch job" privilege All sounds pretty normal so far... Problem: - When the job is run from 24x7 Scheduler an error is generated. "Create process error. Extended error:" - Sometimes a dialog box is produced with an error messages stating there was an error initializing the process referencing error code 0xc0000142. After some research this turns up as a failure to initialize a dll Trouble shooting: - Changed executable to be "c:\windows\system32\notepad.exe" to eliminate problems with the custom app. No change. Same error. - Made script runner a member of the administrators group. Problem goes away. Appears to be a permissions issue of some sort. Not a desirable solution. Removed from administrators group. - Added most other privileges just shooting in the dark to see if one would correct the error. "Act as part of the operating system", Adjust memory quotas for a process", "Allow log on locally", "Allow log on through Terminal Services", "Bypass traverse checking", "Create a pagefile", "Create a token object", "Create global objects", "Create symbolic links", "Debug programs", "Impersonate a client after authentication", "Increase scheduling priority", "Load and unload device drivers", "Manage auditing and security log", "Modify firmware environment values", "Perform volume maintenance", "Profile single process", "Profile system performance", "Remove computer from docking station", "Replace a process level token", "Restore files and directories" and "Take ownership of files or other objects". Most of those privileges I had no expectation of doing any good. Shot in the dark. No change. Same error. - Logged in as script runner user and ran executable interactively. App runs as expected. No problem - Logged in as interactive administrative user and ran executable as the script runner user using windows built-in runas command. App runs as expected. No problems. - Logged in as interactive administrative user and ran executable as the script runner user using the 24x7 provided runas command. Error is produced: Code: C:\>"c:\Program Files\24x7_Scheduler\runas.exe" domain\ScriptRunner password d:\24x7Scripts\MyScript\MyScript.exe RunAs version 2.3.2 Copyright (c) 2003-2008  SoftTree Technologies, Inc. Logging in as domain\ScriptRunner... Setting user environment... Logged in. Impersonating... Starting process d:\24x7Scripts\MyScript\MyScript.exe... Waiting for process to complete... Process completed with exit code -1073741502 - Logged in as interactive administrative user and ran notepad.exe as the script runner user using the 24x7 provided runas command. Error is produced: Code: C:\>"c:\Program Files\24x7_Scheduler\runas.exe" domain\ScriptRunner password c:\windows\system32\notepad.exe RunAs version 2.3.2 Copyright (c) 2003-2008  SoftTree Technologies, Inc. Logging in as domain\ScriptRunner... Setting user environment... Logged in. Impersonating... Starting process c:\windows\system32\notepad.exe... Waiting for process to complete... Process completed with exit code -1073741502 - I've used various combinations of the available command-line parameters available to the 24x7 runas comand. No Change. Same error - I've checked file system permissions and they appear to be good. The script runner has modify rights on all the script directories. - I've run SysInternals Process Monitor to see if anything is being denied. I get no error messages with regard to File System, Registry or Process/Thread activity. The executable just gets to a certain point and ends. When running with the script user as an administrator the next thing that "should" have happened is the loading of lpk.dll. Which is a windows dll for language packs. I have no idea why that might fail or if that is really causing the failure or if it doesn't happen because it just didn't get that far. I'm not sure what I'm missing here and am running out of ideas. Anything to suggest? Thu May 28, 2009 3:48 pm SysOp Site Admin Joined: 26 Nov 2006 Posts: 7952 Quick question... after making all these security changes, did you restart the computer? Thu May 28, 2009 5:05 pm Whatanut Joined: 26 May 2009 Posts: 50 Yes. After all permission changes I restarted the system to ensure they were applied. For privilege changes I made no more than three changes at a time and rebooted in an attempt to isolate what might cause things to start working. Of course nothing did. Thu May 28, 2009 9:24 pm SysOp Site Admin Joined: 26 Nov 2006 Posts: 7952 Few more questions to better understand the situation. 1. The script runner user appears to be a domain user. Did you make all security changes for the local script runner user or domain user? 2. Did you use Active Directory GPO to make changes or Local Security Policy? 3. What is a complete message for "Create process error. Extended error: ?? what appears here ???" I wander why when you run it from interactively running scheduler you get "Create process error" message but when you run it using RunAs, you get the same process created but then terminated with message "Process completed with exit code -1073741502" By the way, error code -1073741502 means a DLL failed to load probably because a needed DLL could not be found in the system search path or was found but not enough permissions to load it. Please note that "run as" logs the user in batch job mode and in this mode the environment settings are different from interactive mode, including access to the interactive Windows desktop. I'd suggest to try running non-interactive console mode application that doesn't need to load any DLLs, for example "cmd echo HelloWorld" If that succeeds then try running graphical applications and forcedly binding them to the desktop. Thu May 28, 2009 10:03 pm Whatanut Joined: 26 May 2009 Posts: 50 1. The script runner was a domain user. But let's just take that out of the equation because I don't believe it is the issue. I have created a local account and will use that instead. All of the same security permissions have been granted to the local user. The server has been rebooted. 2. The policies are configured using local security policy. Again, I don't think this is an issue and we'll just avoid that discussion by using a local user and take the domain out of the equation. 3. There is nothing more to the message. "Create process error. Extended error:" is the entire message that is shown in the 24x7 Scheduler. With the local user I have reproduced all of the same results. This works: Code: C:\>runas /user:ScriptRunner "cmd.exe /k echo hello" Enter the password for ScriptRunner: Attempting to start cmd.exe /k echo hello as user "AUSLYNCAS53\ScriptRunner" ... This does not work: Code: C:\>"c:\program files\24x7_Scheduler\runas.exe" .\ScriptRunner P@ssw0rd cmd /k echo hello RunAs version 2.3.2 Copyright (c) 2003-2008  SoftTree Technologies, Inc. Logging in as .\ScriptRunner... Setting user environment... Logged in. Impersonating... Starting process cmd... Waiting for process to complete... Process completed with exit code -1073741502 Fri May 29, 2009 8:45 am SysOp Site Admin Joined: 26 Nov 2006 Posts: 7952 Please take a look at your Windows Security Event Log. There should be a message for every failed run. Hopefully this message provides enough details to figure out which permission(s) is needed. By the way, the difference between Windows runas and SoftTree runas is that the first uses Windows native services running under LocalSystem account to start the processes, while the second uses your interactive admin login to start the processes. Fri May 29, 2009 9:43 am Whatanut Joined: 26 May 2009 Posts: 50 Unfortunately there are no entries being logged in any of the event logs. I've reviewed the Security, application and system event logs. I take that back. There is one entry in the application event log but it is merely a log of the pop message which states the application failed to initialize. Other than that there are no other failures noted. Maybe I'll see if I can increase the log levels to capture something that isn't currently being captured... Fri May 29, 2009 9:54 am Whatanut Joined: 26 May 2009 Posts: 50 No luck with all auditing turned on. Only thing I see is a successful logon for the ScriptRunner account and a successful logff... Fri May 29, 2009 10:02 am SysOp Site Admin Joined: 26 Nov 2006 Posts: 7952 It would help a lot it you can make Windows report each requested and denied privilege. Do you know where to set this options? Fri May 29, 2009 10:06 am Whatanut Joined: 26 May 2009 Posts: 50 I've turned on all failure auditing in the local policy using gpedit under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy Fri May 29, 2009 10:27 am Whatanut Joined: 26 May 2009 Posts: 50 Are we out of ideas? I'd really like someone at SoftTree to do some testing on the Windows 2008 platform and either confirm that this is a problem that needs to be addressed or figure out what needs to be set to make this work. In the short term I am likely going to be forced to make my script runner accounts local administrators. Not a good solution... Has nobody else out there run into this? Mon Jun 01, 2009 8:45 am SysOp Site Admin Joined: 26 Nov 2006 Posts: 7952 Is FullPrivilegeAuditing currently enabled? Just in case, http://technet.microsoft.com/en-us/library/cc784501(WS.10).aspx If yes, we should be able to see which privileges are requested and denied. Do you agree that this is a security related issue? If we can isolate the required privilege, we can fix the access without a need to use admin account. Mon Jun 01, 2009 9:12 am Whatanut Joined: 26 May 2009 Posts: 50 As stated previously. I have enabled all failure auditing. However, no failures regarding the scheduler or 24x7 runas command are being recorded in the event log. See attached screenshot for configuration. It appears to be a security related issue since making the script runner and administrator does work. However, I'm at a loss as to what security setting needs to be tweaked. Mon Jun 01, 2009 9:47 am SysOp Site Admin Joined: 26 Nov 2006 Posts: 7952 Perhaps the issue with permissions is not that they fail explicitly, but that the user is not allowed to access certain folders and files (for example files in the C:\Windows folder) and that's why the user is unable to run cmd and notepad which reside in that folder. I'm not sure how to make Windows log this activity. Maybe it will log it if you change log-failed-only to log-all. I'll continue looking into this. In a mean time, please try starting some simple program that doesn't have dependencies in the system folders. Mon Jun 01, 2009 11:36 am Whatanut Joined: 26 May 2009 Posts: 50 It's not being denied access to the executable itself. The process is created and the executable image is loaded into memory. It just doesn't get very far before it exits. I'm not sure how well this will show up on here but I'll paste in a capture of the process activity. No file access errors are reported. Code: Sequence   Time of Day   Process Name   PID   Operation   Path   Result 47492   33:04.8   cmd.exe   3848   Process Start      SUCCESS 47493   33:04.8   cmd.exe   3848   Thread Create      SUCCESS 47768   33:04.8   cmd.exe   3848   Load Image   C:\Windows\System32\cmd.exe   SUCCESS 47770   33:04.8   cmd.exe   3848   Load Image   C:\Windows\System32\ntdll.dll   SUCCESS 47780   33:04.8   cmd.exe   3848   CreateFile   C:\   SUCCESS 47798   33:04.8   cmd.exe   3848   Load Image   C:\Windows\System32\kernel32.dll   SUCCESS 49582   33:06.4   cmd.exe   3848   Thread Exit      SUCCESS 49583   33:06.4   cmd.exe   3848   Process Exit      SUCCESS 49589   33:06.4   cmd.exe   3848   CloseFile   C:\   SUCCESS 49590   33:06.4   cmd.exe   3848   IRP_MJ_CLOSE   C:\   SUCCESS I'm not sure what's any simpler that I can attempt running. I can write a small "hello world" executable in C and see what happens. I don't have high hopes for that doing any better, though. Mon Jun 01, 2009 1:37 pm Display posts from previous:  All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year  Oldest FirstNewest First     SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite All times are GMT - 4 Hours Goto page 1, 2, 3  Next Page 1 of 3   Jump to:  Select a forum ----------------SQL AssistantDB Audit, DB Mail, DB Tools24x7 Scheduler, Event Server, Automation SuiteTips & Snippets Repository You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum     Powered by phpBB © 2001, 2005 phpBB Group Design by Freestyle XL / Flowers Online.