2

I have strange problem accessing network drive through psexec. Procedure is as follows:

  • Windows Server 2016 with a network share open to Authenticated/Domain Users (\r530tc\pub)
  • Windows 10 workstations (for example \tc100 and \tc200

1)

  • run 'psexec \tc100 cmd.exe' on the server
  • and then run 'dir \r530tc\pub' on that workstation
  • can see folder contents without any problem

2)

  • run 'psexec \tc200 cmd.exe' on the server
  • and then run 'dir \r530tc\pub' on that another workstation
  • "access denied"
  • running 'dir \r530tc\pub' directly on \t200 allows to see folder contents in question without any problems

I've tested all from NTFS/shares security configuration, through GPO, to UAC and firewall on problematic workstations, problem exists on 7 machines out of 35, and I'm out if ideas :) Thanks in advance!

Adrian Brosz
  • 21
  • 1
  • 4
  • It probably depends on what method `psexec` winds up using to authenticate to the remote system, NTLM or Kerberos. I've never understood how that winds up being negotiated. As a possible workaround, consider using the `-s` flag (so as to run `cmd.exe` as local system) and give the relevant computer objects (e.g., `TC100$`) access to the necessary shares and files. Or copy the necessary files between the server and the workstations from your local machine. – Harry Johnston Sep 20 '18 at 21:35
  • The -s flag does not change anything. The NTLM/Kerberos clue could be useful but this is a Win2012 level active directory so NTLM is not allowed at all. Regarding other workarounds - I can do the 'file copy' in many other ways, just asking out ouf curiosity where lies the source of the problem. :) – Adrian Brosz Sep 25 '18 at 11:54
  • If local system on TC200 can't connect to network shares, there's something definitely wrong there. I think that's your most promising line of attack, e.g., is it only certain shares/servers that are affected? In particular, can local system connect to sysvol on the Domain Controllers? Have you looked at the security logs on the target server for clues as to why the connection is being rejected? (You might need to change the auditing policy on the server temporarily to get any useful information.) – Harry Johnston Sep 25 '18 at 19:46
  • ... also, I've experienced similar-sounding problems in scenarios where there are multiple Active Directory domains involved, is that the case here? (My problems were caused by the existence of computer objects with the same name in two separate domains.) – Harry Johnston Sep 25 '18 at 19:48
  • ... oh, and speaking of names, you should check that the DNS name listed for TC200 in the Active Directory matches up with the DNS name TC200 thinks it has, and that said DNS name correctly resolves (e.g., via nslookup) for both the client and the server. – Harry Johnston Sep 25 '18 at 19:50
  • DNS is properly configured, nslookup shows correct results. I have only one AD forest/domain with two DC servers. But 'dir \\r530tc\sysvol' on \\tc200 actually shows 'network acces denied', what is weird because all GPO rules are updating on these 'problematic' computers without problems. – Adrian Brosz Sep 26 '18 at 09:57
  • Network acces denied appears of course when I run the 'dir' command through psexec, locally on \\tc200 there's no problem with it. – Adrian Brosz Oct 04 '18 at 08:05

0 Answers0