I have a Windows Server 2012 and a Windows 7 client.
I'd like to run psexec on my Windows client to execute a .bat file on my server:
psexec /accepteula \\MyServer -u MyUser -p Mypass -d -i "C:/test.bat"
The command returns:
Acces denied.
When I log into my client with domain user, the command runs and not fail.
But I like to run it with a local (non-domain) user.
I know that this is a very old question, but the answers to it are just so incredibly incomplete and it is a top search result.
So, there are a few prerequisites for PSEXEC to work against a machine. Mainly, these are..
On a non-domain join computer, you must have a local admin user. You will use that username when connecting to the machine via psexec.
If the computer is domain joined, then you will want to use either a local administrator on the target machine or a domain administrator account.
The machine must have the administrative share open on the computer and the user you are connecting as must have permissions to the share. (Administrators)
You must have certain firewall rules in place. (Again, something that is normally turned on on a domain join.)
It's pretty common that, even on domain joined machines, there are issues with the domain machine's admin shares or issues where sharing isn't working. In windows Vista and above, a common cause is that there were some additional security/filtering measures introduced and certain registry keys didn't get switched on/added when the computer was domain-joined. You can see how to fix that issue here: https://support.microsoft.com/en-us/help/947232/error-message-when-you-try-to-access-an-administrative-share-on-a-wind
The other issue that tends to crop up a lot is the one where firewall rules need to be added. The particular rule you would set to "Allow" in the windows firewall is "Remote Service Management".
To both add that registry key and add the firewall rules, you can run the following commands.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
netsh advfirewall firewall add rule name="PSExec TCP" dir=in action=allow protocol=TCP localport=445
netsh advfirewall firewall add rule name="PSExec UDP" dir=in action=allow protocol=UDP localport=137
If you are going to login to your computer with a local account even though the computer is joined to the domain (I don't know why you want to do that), and you are trying to run a command on the server that is joined to the domain, you should make sure you are using the correct username and password for the domain user on the server.
Try this -
psexec /accepteula \\server -u domain\username -p passwd -e "C:\test.bat"
Make sure that the domain user account you are using to run test.bat on the server has the correct security rights to run the file on the server.
In the event you are running C:\test.bat as a local user the domain would be the name of the computer that has the local user you are using on it.
The account that PSexec is running as needs to exist on the server. If you want to run the command as a local account on a domain-joined server, you need to create a local account on the domain-joined server with the same username and password as the one on your workstation.
If you just want to run the command from your (non-domain-joined?) workstation, you should do what user5870571 suggested.
