Start Free Trial

asked on

Exec batch with "Run as" from VB to open .vbs on remote server to open an .exe with the right security context

Hi,

I need to run an .exe on a remote server. The server is in another domain. I connection to the server via VPN.

My VB app can call the .exe but uses the wrong/invalid security context.
I have been trying to use "Run as" on a batch, to then start the vbscript.

I am also having trouble with the script itself. When I run I with the right user account by double-clicking it, it returns:
Script : E:\Program Files\Exact\ImportScript.vbs
Line : 6
Char : 5
Error : Path not found
Code : 800A004C
Source : Microsoft VBScript runtime error

Here is the Script:
Dim FileToOpen, Cmd1, DBName, Filename
FileToOpen="E:\ExactSoftware\Interface\App\ImportInfo.txt"
Set FSO = CreateObject("Scripting.FileSystemObject")
Set myfile = fso.OpenTextFile(FileToOpen, 1)
DBName = myfile.ReadLine
Filename = myfile.ReadLine
myfile.Close
cmd1 ="C:\Program Files\Exact Software\bin\asimport -r192.168.10.110 -D" & DBName & " -u -~ I -URL" & Filename & " -Tglentries -Oauto"
Set objShell = CreateObject("WScript.Shell")
objShell.Run cmd1, 1, True

Here is the batch:
vbscript //nologo \\192.168.10.110\App\Export.vbs
????

Here is the Run as code:
Dim objShell: Set objShell = CreateObject("WScript.Shell")
Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject")
strUser = "Domain\Username"
strPass = "Password"
'sCmd = "\\192.168.10.110\App\RunImportScript.bat"
strRA = objShell.ExpandEnvironmentStrings("%systemroot%") & "\system32\runas.exe"
strRslt = objShell.Run(strRA & " /user:" & strUser & " " & Chr(34) & strCmd & Chr(34))
wscript.sleep 2000
objShell.AppActivate strRA
objShell.SendKeys strPass & "~"
Set objShell = Nothing
Set objFSO = Nothing

Hope someone can help.

The drive letter E: is surely not a local harddisk but some file share directory.
Change that path to UNC path.
Like this:
FileToOpen="\\192.168.10.110\App\ExactSoftware\Interface\App\ImportInfo.txt"

In the upper example is 192.168.10.110\App the file share mount point as you can see it in file explorer where that share is mounted as drive E:

I agree. With the drive letter E, as a mapped drive, that is only mapped as a connection for the current user profile....as soon as you use RunAs to run under another account, the profile is changed, and you no longer have the mapping to drive E, so a UNC path will be required.

Hope that helps,

Regards,

Rob.

ASKER

Hi guys,
Thanks for your comments.

Yep, changed the e: to unc, now the script is working.
The "Run as" business isn't working. It doesn't seem to be sending the password to the window.
If I have break points set in vb, then the password shows up on the break point line.

Also I ran the script directly through a RDP session and got a permission denied error.
"Everyone" has read & exec, no denies in the list.

The question is why you do at all try to change the userid?
Your script does run on local machine and will run on local machine. Independent how many scripts you use to call the next script and independent where the scripts are loaded from, the loading is only a file fetch. The execution environment is your local machine. Why do you then change the userid?
And the most problems come from SendKeys
You cannot ensure what window has at that moment the focus and receives the SendKeys stream.

If you really need to run the batch from that remote server with another userid (it runs on local machine), then the directory conating the batch needs also to be realeased as a file share. Read this article: http://support.microsoft.com/kb/303308/en

Check also what profile and environment you need for running the script by testing the /profile and /env switches of runas.exe

And the most important question, is your local Service running: "Secondary Logon"

ASKER

Hi Zvonko,

Here's a bit of background so you can understand the situation a bit better.

We have inhouse production software that comunicates with Exact (Financial Software).
Here in my office we use a windows domain, which is necessary for Exact to function.
2 sister offices want to use our software, but do not use a windows domain.
They will be using Exact. To use Exact they uses first opens a VPN connection to the server, then starts a RDP session to the Terminal Server, which is in a Windows Domain.
I am hoping to run the batch as a user of that domain.

If errors occur during the importing process then Exact generates an XML file in the users "My Documents" folder on the TS Server. Our software then has to read this XML file and reset any invoices so that they can be exported again the next time. Without this step, we would have financial chaos, not knowing which invoice should be paid or collected....

My dead line is September 1st. That's when they want to go live.......
I only found out about this issue last week. (Amongst a number of other surprises.....) :-(

ASKER

I am unfimiliar with /profile & /env switches.
How can I check if the local service is using secondary logon?

Now I see better what you are doing.
If you want to prepare the solution for remote users using the Terminal Server for running the application then is the best that you use also the Terminal server for your tests. Then you need also no user switching because the user context is given by Terminal Server client session.

The Service to allow runas.exe to be used can be seen in SystemSettings->Administration.->Services
Look under the Services listing for a Service with the name "Secondary Logon"
That SecondaryLogon service has to be running to be able to use the runas.exe program.
If the userid switching is required on the remote server, then the machine where the runas.exe is executed needs the SecondaryLogon service to be running. But do not confuse the exe file location and the machine where it is executed. You can call runas.exe from the file share on remote server, but because you are calling it without Terminal Server session it is executed on your local session and therefore executed locally.

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

:-) I'll give it a go rob and get back to you.

ASKER

Sorry for the delay guys.

The finance guys have decided to impliment this 1st jan next year. I have had to work on other higher priority things. Will continue this questions asap.

Maybe one of you guys knows something about foreign language input?
https://www.experts-exchange.com/questions/22769251/VB6-Multi-language-input-Czech-Hungerian-English-French.html

ASKER

Okay guys, thanks for waiting and again, sorry for the long delay.

Zvonko,
The Secondary Logon service is running on the server.
All attempts to use "Run as"in a batch failed.
see https://www.experts-exchange.com/questions/22773397/Export-file-via-VB6-to-Terminal-Server.html

Rob,
This line >>PSExecPath = FSO.GetFile(PSExecPath).ShortPath
gives me runtime error 53 "File not found"

and this line >> wscript.Sleep 100 'need to give time for window to open.
gives me runtime error 424 "Object required"

When I quote these 2 troublsome lines away the code runs without errors but also without results.
If I set a break point, then double-click the .vbs or .bat file in the rdp session, both work fine.

Cheers guys

ASKER

btw when I run this in cmd prompt
"
C:\WINDOWS\system32>PSExec.exe \\192.168.10.110 \\192.168.10.110\ExportShare\Export.vbs
-accepteula -e -u <domain>\<user> -p <pword>
"

I get an access denied error.
The same applies if I change the export.vbs to runimportscript.bat

This time, sorry for my delay in getting back to you, but firstly, the WScript.Sleep line giving you
"Object required" error....
How are you running this code? It should work fine from a VBS file, run with Windows Scripting Host 5.6.

But anyway, I guess we should get it working straight from the command line first, try this:
C:\WINDOWS\system32>PSExec.exe \\192.168.10.110 cmd /c wscript \\192.168.10.110\ExportShare\Export.vbs -accepteula -e -u <domain>\<user> -p <pword>

and see if that works.

Regards,

Rob.

ASKER

WScript.Sleep is running in a VB 6 Module Sub. Do I need to reference anything in particular to get this working?
Windows Script Host Object Model (wshom.ocx) ?

When I run
"
C:\WINDOWS\system32>PSExec.exe \\192.168.10.110 wscript \\192.168.10.110\ExportShare\Export.vbs -accepteula -e -u <domain>\<user> -p <pword>
"
from the command prompt. (Note no cmd /c) I get an Access Denied error.
Could it be that there are some GPO settings that are blocking this?
Remember, I can double-click the files when I am logged onto the RDP session.

Cheers,
Dennis

OK, so from VB6, you would need to add a reference to the Microsoft Scripting Runtime Library.
Also, from the command line, try putting the flags at the start of the command.
PSExec.exe -accepteula -e -u <domain>\<user> -p <pword> \\192.168.10.110 wscript \\192.168.10.110\ExportShare\Export.vbs

And also make sure you are using a user account that has administrative rights over your PC. PSExec needs that to connect....

Regards,

Rob.

ASKER

No go.
Still getting an access denied error. What permissions must I have on the remote machine to do this?
I am an Administrator of my machine here.

>And also make sure you are using a user account that has administrative rights over your PC. PSExec needs that to connect....
This is a problem. None of the users have administrators access on their computers.

Maybe we are going about this the wrong way.
How about 2 scheduled batches.
The user clicks the export button in the vb app.
The files are copied to the right locations on the server.
The server has a scheduled batch to import the data then copies the XML file (List of invoices that couldn't be imported) to a location.
The local server (With the vb app database) runs another scheduled batch to look if any invoices didn't make it. If invoices are found, then they must be reset to be exported again the next time. (This step might have to be done manually in the vb app.)

What do yo recon?

Hmmm, I don't know about that....seems a little long winded....if you have the VBS files set up already, it would be best to call it all from one location....

With PSExec.....I have gathered that your server is at 192.168.10.110
and it has a shared folder called ExportShare

That's fine, but....the username and password that you define with
-u <domain>\<user> -p <pword>

must have Administrative rights on that server (so must be a member of that server's local Administrators group, which could be a domain admin)

Let me know if you are using the username and password of an account that has admin rights to that server....

Regards,

Rob.

ASKER

The user account I have been using is NOT an administrator.
I will discuss this with the server operator. Maybe he can make a special account for Exporting/Importing purposes.

Will get back to you soonest.

Thanks for all the help so far mate.

Yeah, I haven't explored the security rights of PSExec to far, so you may get away with a Power User privilege, but I've always used an Administrative account.

Let me know what you can do...

Regards,

Rob.

ASKER

I'll try power user first, with the right Exact account & SQL permissions.
That shol make th server and domain admins feel a lttile easier....

cheers

ASKER

Sorry it's taking so long guys.
I jumping between crisis and security issues and back again.
I'll get back to you guys soonest.

No problem, take your time....we'll always get the emails when you write back....

Regards,

Rob.

ASKER

hi I'm back ! And happy ! :-)
I got it working ! We nearly had it last time.

The user I now tried has administrators rights and the necessary rights in Exact to be able to import XML files. That was all that was needed. Unfortunately

Thanks Rob! You are my hero!

Here are all the steps involved to get this connection running.
Set file locations for:
XML file to be exported (Local)
To be imported XML location (Remote)
The text file with the to be imported XML file name and location + database nr (Remote)
The XML folder location for invoices that failed the import process (MyDocuments, SHARED, Remote)
Generate the XML file to be exported
Generate the text file with the to be exported file name/location & database nr.
Initiate the Import module of Exact (See attached snippet)
Copy the XML with the list of failed invoices to local folder
Stream through the XML file with failed invoices looking for the invoice number.
Use the invoice number to reset the invoice in local database so that it can be exported again next time.

And hey presto, it works!

Now I just have to get bogged down in financial laws for both Belgium & Czech Republic and configure Exact accordingly then make my program dynmaic enough to handle 4 different offices......
No wait... I have a better idea. Get the accounts to do all that. :-)

LOL! Nice.

Well done! And just as well, because I'm not available for a few weeks now!

See you in the new year!

Rob.

ASKER

Hmmm things are getting strange.......
It works so wel now that it'll work with any username and pasword or even no username & password.

C:\Windows\System32\PSExec.exe \\192.168.10.111 wscript \\192.168.10.111\Export$\Export.vbs -accepteula -e -u 666666666666666 -p 9999999999999999999999

This code works even though the user doesn't exist. ?!?!?!?

PSExec seems to have locked the credentials or is using the system account.
The import results in Exact shows that it worked.

ASKER

Hi,

Hope you guys are still monitoring this question.

PSExec is not working as expected.
Invoices are being imported as expected but the XML with failed invoices isn't being saved in the right place.
For some reason it is saving it in the my documents folder of "Default User". Instead of the my documents folder of the user used with PSExec.
Also it doesn't matter which username I use PSExec with. ?!?!?!?

I have an open question about this:
https://www.experts-exchange.com/questions/22977552/PSExec-runs-with-any-or-no-credentials-after-running-once.html