PsExec and Windows 2008 R2: 'Access is Denied'

Question

Here's my scenario:

I'm attempting to remotely start & stop IIS 7.0 sites on my server from my local machine, using PsExec.

Some important points:

• Local machine runs Windows Vista.
• Server runs Windows 2008 R2.
• Each machine runs on different domains.
• There is a one-way trust from my local machine's domain to my server's domain.
• PsExec is using a domain administrator account, who is authenticated as a local admin on the server machine.
• The local machine references the server via an alias; it does not use the server's real name.

I am using the command:

"C:\Program Files\PSTools\psexec.exe" \\(server-alias) -u (server-domain)\(domain-admin) -p (password) C:\Windows\System32\inetsrv\appcmd.exe stop site "Default Web Site"

This returns the error:

PsExec v1.94 - Execute processes remotely
Copyright (C) 2001-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
Could not start PsExec service on (server-alias):
Access is denied.

And some important troubleshooting notes:

• This command works when executed from another machine (Windows 2003 R2) in the server's domain. (Intra-domain)
• This command also works when executed against another machine running Windows 2003 R2 from my local machine; the two of which are in different domains. (Inter-domain)
• Using the same PsExec command except with ping instead of appcmd.exe fails.
• The command has been run from the command prompt using "Run as Administrator".
• Registry key DisableStrictNameChecking has been set on the server to allow aliases to be used.
• Registry key LocalAccountTokenFilterPolicy = 1 has been set on the server and local machine.
• Windows firewall is not running on the server.
• UAC is disabled on the local machine.
• UAC is active on the server.
• UAC has "Admin Approval mode" disabled on the server; this allowed the command to work intra-domain (as opposed to inter-domain).

It seems to signal that this is an issue specific to Windows 2008 R2 which is security setting related, probably along the lines of domain or administrative permissions. However, I'm out of ideas. Any suggestions you might have would be much appreciated!

Answer 1

It took me hours to find a working way to PsExec between 2 Windows 7 Computers with non-Admin user starting PsExec ... Disabling UAC (EnableLUA=0, ConsentPromptBehaviorAdmin=0, LocalAccountTokenFilterPolicy=1) did not work, turning off the Firewalls did not work...

Here i found the working way - thanks JelmerS: (Info from PSexec is not connecting to machine using supplied username and password)

This is because psexec still tries to access the ADMIN$ share with your local credentials, before executing your command as another user. According to this thread, you can cache credentials before executing psexec: cmdkey.exe /add:MACHINE_NAME_HERE /user:MACHINE_NAME_HERE\Administrator /pass:PASSWORD_HERE psexec.exe \MACHINE_NAME_HERE -i notepad cmdkey.exe /delete:MACHINE_NAME_HERE

Best regards, Peter

Answer 2

Are you running PSEXEC from an elevated command prompt on your vista workstation? Have you set LocalAccountTokenFilterPolicy=1? See FAQ: Common PSTools Issues

Answer 3

I don't have a similar environment to test from, but what I can recommend is this: On the client domain, set up batch scripts (.bat), one for each website you want restarted. (I will be calling them "restart_site-sitename.bat".) Create one for each domain and save them all to a directory on a management server in that domain (where I put my sysad tools, where I can manage everything in case something happens to my laptop), including PSExec in that directory.

psexec.exe \\(server-alias) C:\Windows\System32\inetsrv\appcmd.exe stop site "WebsiteName"

Now try to run psexec to that management server, calling one of those batch files instead.

"C:\Program Files\PSTools\psexec.exe" \\(server-alias) -u (server-domain)\(domain-admin) -p (password) C:path\to\psexec_and_scripts\restart_site-sitename.bat"