Scheduled task not able to write files on an external server - windows

I'm having problems with a scheduled task running in a windows 2003 server scheduled task
Task is running under the nt authority/system account sending files to another windows2003 server in same domain.
Machine where task is executed runs under a domain account with limited permissions in domain and machine
Folder where files are sent in remote server has been configurated granting total rights to system and user which
The problem happens when scheduled task is tying to write the file in remote server, task returns an exception like "Access denied to path ...."
Which is the user which remote server detects running externat scheduled task?
Which permissions should i grant in remote folder?
Thanks in advance
Fernando

A Scheduled Task running as the System user will not have access to another machine on the network. When it runs it is the same as if you were to logon to the local machine instead of the network. You will need to run the task as a special network user or store the file on the machine running the task for another process to pick up later.

A process run under Local System account doesn't have permissions to access other computers' resources. A typical solution is to create a separate domain user exactly for running the tasks and run the task under this user.

Besides the mentioned solution of creating a domain user to run under, if you just need anonymous network access or "domain member" network access, you can also run as Network Service which as a positive side has almost no rights on the local computer (unlike Local System which is even more powerful than Administrator).

Related

Ansible: I'm unable to connect to a windows server using a non-local Administrator account

I have a requirement to collect windows facts via ansible. By passing the local Administrator account credentials with Ansible, this works with no issues. If I add my own windows account to the local Admin group, this also works.
The problems starts when I need to connect to a windows server with a non-local admin account (an AD account with Administrator privilege). win_ping fail no matter what I try to make it work.
The Ansible documentation seems to suggest you have to be a local admin or a member of the local admin group.
https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#http-401-credentials-rejected
This section:
Ensure that the user is a member of the local Administrators group or has been explicitly granted access (a connection test with the winrs command can be used to rule this out).
And they give us this workaround:
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#non-administrator-accounts
Non-Administrator Accounts WinRM is configured by default to only
allow connections from accounts in the local Administrators group.
This can be changed by running:
winrm configSDDL default This will display an ACL editor, where new
users or groups may be added. To run commands over WinRM, users and
groups must have at least the Read and Execute permissions enabled.
While non-administrative accounts can be used with WinRM, most typical
server administration tasks require some level of administrative
access, so the utility is usually limited
But even after adding the remote AD account in the ACL editor and giving access to everything, I still get the same error.
"msg": "ssl: the specified credentials were rejected by the server",
Has anyone got this working with an AD account? Any pointers would be very welcome.
Currently, it looks like I need to have a local account with administrator privilege on every Windows server I want to run ansible on. I'm hoping this is not the case.
Thanks

Start Process within Windows Container as a domain user

I have a Windows 2019 container started with a valid CredentialSpec from a valid working gMSA account. It currently hosts a .NET 4.x application on IIS with Windows Authentication working just great. I can also execute nltest commands successfully and communicate to the domain controller.
I want to run a Job or Process as a domain user (MyDomain\UserABC). All of my attempts have failed:
Execute start-process with a credential object errors out with:
he security database on the server does not have a computer account for this workstation trust relationship.
Using a scheduled job as NT AUTHORITY\NetworkService fails to access the web because it is not using the gMSA credentials but the Network Service credentials.
Create a scheduled job with a Domain User results in the same error as above:
he security database on the server does not have a computer account for this workstation trust relationship.
Any other ideas?
Sounds like cached credentials. Maybe you can take a look on this link:
Site single Domain

How do I run a batch script as administrator from Bamboo?

There is an option to configure a script to run as part of a plan for Bamboo. However, when I try to run a particular batch script, it fails. When I run it as the Administrator user from the remote desktop instance, it does not fail. I am assuming that the issue is that the script is not being run as an administrator, but as the Bamboo user. Is there a way to run a particular batch script as an administrator? I am using an elastic EC2 instance from AWS with Windows Server 2008 R2.
Here is my current setup:
By the way, this is part of an alternative attempt at this question: Boot EBS volume from Bamboo instance
I have not used bamboo, but to allow a Windows service to run commands as an administrator, first the service itself must have administrator privileges. Otherwise, it will be denied. Change the service user in the Windows services control panel. These are the generic instructions on how to change the service user:
Run services.msc
Find the target service
Open the properties for the service
Select the Log On tab
Select Use this account and enter an account on the server that has administrator privileges
Restart the service

Scheduled Task for script vs Direct Execute: issues

I have a VBscript file which connects to remote computers over our network and initiates a WBEM-Scripting method. I can open a CMD console using the credentials for a domain user account which has local admin rights on all of our desktop computers, and the script performs as desired.
I created a scheduled task on a Windows Server 2003 member server which runs the same script file using the same credentials, but it fails to connect to the WMI provider on remote computers.
The desktops are all Windows 7 SP1 and the domain is Windows Server 2008 level (forest and domain).
The domain user account was added to the local administrators group on the server, and was granted "Logon as a service" rights via Group Policy.
Question: Is there something else I'm missing that could be causing the scheduled task to fail while the interactive execution works fine?
I've had this same problem happening (scripts do not run as schedule tasks but, executable files do). You can get around this by doing the following:
There is a Start in (Optional) text box below the Program/Script text box on the property page for the Actions Tab. Fill it to include the path of your script So if your script is at c:\users\user\desktop\script.vbs, the text boxes will look like this:
Program/Script:
c:\users\user\desktop\script.vbs
Add Arguments (Optional)
Start in (Optional) c:\users\user\desktop

How to run a command on a remote Windows system as a non-admin user with WMI?

I have a script written in Visual Basic that starts a process (given to the script as an argument) on a remote system (again, given as an argument) using WMI. This script works fine when using an Administrator account on the remote system, but when using a non-administrator account, I get the following error:
ConnectServer Failed w/ (-2147024891) Access is denied.
I'd like to be able to run processes on remote systems as a non-administrator user with this script, and I'm pretty sure the problem is due to security settings on the remote system, but I've not been able to reset the right ones.
It sounds like you need to configure launch and activation permissions for this user, on the target machine, via DCOMCNFG. By default non-admin users do not have remote launch and activiation permissions.
Alternatively, depending on the operating system you are connecting to, there may be a "Distributed COM Users" group to which you can add your user. This group already has the appropriate permissions. The Distributed COM Users group was first included in Windows Server 2003 Service Pack 1 (DCOM Security Enhancements).
You can read more about WMI and DCOM permissions here. More detailed steps on how to configure WMI and DCOM are included in the serverfault thread Which permissions/rights does a user need to have WMI access on remote machines?.

Resources