I am trying to use Microsoft's Task Scheduler to schedule a task on a remote machine. I am getting the {"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) error. I am running the code as an admin in an elevated state. I remember reading before that a user trying to work with the task scheduler on a remote machine must be a member of a specific group. I do not remember the group name. It's not the administrators group. Can someone help ? I am doing this on a domain.
Thanks
In the Control Panel, open "Administrative Tools", then "Local Security Policy".
Locate "Security Settings", open "Local Policies" and select "User Rights Assignment".
Find "Log on as a batch Job". Open the properties and add any users that need this right.
I hope I used the correct English Translation.
Related
I'm trying to block internet for a group of users by using a Firewall with Windows Server 2012 GPO. However, I keep running in the same problem over and over again:
When I make a GPO and use the Security Filtering to choose the user group and at the Delegation tab I put Authenticated Users to read only, after that I run the command 'gpupdate /force', and using 'gpresult /r' shows that the GPO has been Denied (Security) and I've got an AD SYSVOL Mismatch.
I've tried fixing the problem with help of Google: updating Windows Server, using 'Domain Computer', etc. But nothing helped. I've uploaded some pictures if that can help:
http://imgur.com/a/cGYN4
Thanks!
It was right to reduce "Authenticated users" to read and to not apply this GPO. But you have to give this "apply" right to your users group. As I can see on the screenshot, they only have read rights. They also need "apply policy" rights which can be set under advanced permissions where you took the second screenshot.
About the AD Sysvol Mismatch: try evaluate if this solves your issue: https://support.microsoft.com/en-us/help/2866345/ad-sysvol-version-mismatch-message-is-displayed-unexpectedly-in-the-gr
I have a COM application instantiated by a local Windows service with which I would like to gain access to a network share. To achieve this, I simply attempted to configure my COM server to run as a domain user with access to that share: I go to the 'dcomcnfg' console, locate my server under Console Root\Component Services\DCOM Config, right-click to 'Properties', go to the 'Identity' tab and specify the domain user for the "This user" option. When I do this on my own company network, it works beautifully. However, when a user tries it on their network, they get:
"Catalog Error
An error occurred while processing the last operation on the remote computer 'DOMAIN'.
Error code 80070569 - Logon failure: the user has not been granted the requested logon type at this computer."
where 'DOMAIN' is the name of the customer's domain. I'm presuming then that this is a problem with their domain policies, but network administration is not my area of expertise. Anybody have some idea what the problem might be so I can have a clue when I talk to their IT? Also, if anybody has an alternative approach, I'm open to suggestions. Thanks.
I'm working with Visual SVN Server. For some reason the service was stopped. When I tried to restart it, it failed due to logon error.
I found, that the guy who set it up earlier has left the organization and his account on the server is disabled. SVN Server is using his account credentials to start the service and failing.
I need to change the authentication credentials, but not able to figure it out. Any ideas?
See the TechNet article "Configure How a Service Is Started" for the detailed instruction:
Start, click in the Start Search box, type services.msc , and then press ENTER,
In the details pane, right-click the VisualSVN Server service, and then click Properties,
To specify the user account that the service can use to log on, click the Log On tab, and there you can specify the account.
VisualSVN Server works under the NETWORK SERVICE by default however you can also run it under a dedicated account.
You may also want to check these articles if you will create a new service account:
"Permissions required to run VisualSVN Server",
"Configuring VisualSVN Server service to run under a dedicated user account".
Hey all,
I'm having trouble with PerfMon on one system out of fifteen in a development environment. Accessing it from the local machine is fine but connecting to it remotely throws a "Cannot connect" error.
Each machine is running Win 2003, is connected to the same domain and I have admin rights to all.
There were some services set to disabled which are normally enabled by default so I've set these to match the other machines on the network - still have the same problem.
Any ideas?
Cheers
**Update**
Ok - I found it was the remote registry service not running correctly causing the above error; Once that was enabled Perfmon is now telling me "No such interface supported".
If I connect through Computer Management, it fails the first time, but the second attempt is successful. Connecting through perfmon fails everytime.
Fixed - for anyone that runs into this issue, hopefully this can help you..
Enabling Remote Registry fixed my first problem.
The second issue, "No such interface supported" turned out to be permissions issues within the registry. Apparently the machine had some pretty obscure permissions set to specific registry keys a long time ago, which are now irrelevant.
Resetting permissions with secedit fixed it up -
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
Perfmon counters are now accessible remotely.
We encountered the second issue - "No such interface supported" when attempting to "Connect to another computer" in Performance monitor.
All the rules and services are running.
We found the following:
If the user was added to the local admin group, they were able to connect to another computer (irrespective of belonging to the Performance Monitor group).
If the user was not a local admin and in the performance monitor group - we were unable to connect to another computer via the "Connect to another computer" context menu.
But we were able to add the performance counters. In Performance monitor when you add a counter there is an option to "Select counters from computer". We were able to connect to the counters on the remote machine this way. Also note that if you are planning on data collecting, you would need to set the correct credentials (by default it appears to run under a local system user).
I fixed my case as follows:
Add Firewall rule Performance Logs and Alerts from the predefined rule list.
From client, run the Performance Monitor as the remote user
Eg: runas /user:remote_machine\username "mmc perfmon.msc"
Of course, the user must be at least in the user groups "Performance Log users" or "Performance Monitor Users".
The reason why perfmon.exe do not want to connect to the remote server is, it wants to connect to the Perf Monitor and the Perf Logs (Data collections).
So you have to add the user account to also the Log User group and of course to the Monitor Users.
you don't need to be local admin on the remote server!
I have a script written in Visual Basic that starts a process (given to the script as an argument) on a remote system (again, given as an argument) using WMI. This script works fine when using an Administrator account on the remote system, but when using a non-administrator account, I get the following error:
ConnectServer Failed w/ (-2147024891) Access is denied.
I'd like to be able to run processes on remote systems as a non-administrator user with this script, and I'm pretty sure the problem is due to security settings on the remote system, but I've not been able to reset the right ones.
It sounds like you need to configure launch and activation permissions for this user, on the target machine, via DCOMCNFG. By default non-admin users do not have remote launch and activiation permissions.
Alternatively, depending on the operating system you are connecting to, there may be a "Distributed COM Users" group to which you can add your user. This group already has the appropriate permissions. The Distributed COM Users group was first included in Windows Server 2003 Service Pack 1 (DCOM Security Enhancements).
You can read more about WMI and DCOM permissions here. More detailed steps on how to configure WMI and DCOM are included in the serverfault thread Which permissions/rights does a user need to have WMI access on remote machines?.