1

2 Windows 2012 Server, no firewall, nothing triggered in MS Security Center Endpoint Protection.

Server A (GIS Server) utilizes a local account to perform various task; this account must exist on all other servers for it to be able to access those resources (Targer: Server B). To reiterate, this account exists on both servers and has an identical password.

PSEXEC works fine when using the powershell etc since I'm logged in as a domain admin. For testing purposes, I'm launching powershell via 'Run As' the local account. Try as I might, I keep getting 'access denied'.

  • I have tried providing (within the PSEXEC statement) a domain Admin (specifying both 'home' and the FQDN as sep. tests) account as well as the credentials for the local account.
  • I have tried given the local account on the target server admin privileges
  • MS Endpoint Security logs nothing in its history
  • Event Viewer on the target server does show a security logon & log off event for the 'source' account but I don't seen anything of note in the event.
  • I have tried specifying a working directory where the local account has read/write/execute privileges
  • I believe I have tried every switch configuration
  • I have researched the PSEXEC forums on windows and searched exhaustively all this morning
  • This is not an empty password situation

I can provide more information about the entire workflow, but wanted to keep this very focused on what looks like the exact point of failure. I humbly turn to your expertise! When this is working it will bridge a major workflow for our work. many thanks!

Clickinaway
  • 121
  • 6
  • have you tried using serverb\username as the username? – longneck May 02 '13 at 18:01
  • when you launch powershell via Run As, does that account have local admin privileges (not target)? Also (as always) check UAC. – TheCleaner May 02 '13 at 18:07
  • @longneck yes, I have tried that as well – Clickinaway May 02 '13 at 18:10
  • @TheCleaner I must be reading everything wrong...i thought the account needed local admin on the target system? – Clickinaway May 02 '13 at 18:11
  • I asked because you said it works fine executing PS with your domain admin account and then using PSEXEC with those credentials, but when you run PS as the other account it fails. Seems to be more of a local issue then a remote one at that point. – TheCleaner May 02 '13 at 18:14
  • Ok i'm following your logic: so elevate the local account to admin. I will try this BRB [EDIT: already elevated to admin]. In the mean time: is it going to be necessary to disable UAC on both source and target? [Requires a reboot for both; people get grumpy about reboots]. – Clickinaway May 02 '13 at 18:22
  • Will comment and suggest comments as answers tomorrow morning! – Clickinaway May 02 '13 at 20:41

1 Answers1

1

I checked with some folks in the chat rooms and they said it would be best to answer this if there was a conclusion. A special thanks to Travis & TheCleaner. I elevated both local user accounts to admin and disabled UAC. Somebody can flame me on poor security practices, but after their suggestions, all supporting documentation affirmed this. Besides, I needed the thing to work and the servers in question are on an isolated network.

Thanks so much serverfault!

Clickinaway
  • 121
  • 6