Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 946
  • Last Modified:

AT command using computername

Try to schedule AT across different workgroups and domains, using

AT \\servername 19:20 \\fileservername\share\aprogram.exe

And just can't get it working. AT on the same machine works fine, but as soon as \\servername is used, it fails each time. In the event log it says

"The At3.job command failed to start due to the following error:
General access denied error  " - Event ID 7901. All the boxes I'm trying are 2000 and XP.

Thanks
0
xassets
Asked:
xassets
  • 9
  • 4
  • 3
  • +1
1 Solution
 
xassetsAuthor Commented:
By the way, I've also discovered that this also happens within the same domain/network
0
 
MSGeekCommented:
AT command is local only.

You could use the PSexec command with your local scheduler to accomplish thei: http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
0
 
xassetsAuthor Commented:
psexec seems to have the same problems. These computers have full rights to each other. In the workgroup example they all have the same administrator password and can do things like access files, remote registry etc.

psexec also has the problem of transmitting administrator passwords in clear text. I'm not sure our clients would like that.

0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
MSGeekCommented:
You would need to enable the guest account on both computers and make sure the administrator accounts of all machines were named identically and had the same password.
0
 
nick_sCommented:
Why don't you use Windows Scheduler instead of AT?

Nick
0
 
xassetsAuthor Commented:
Nick - Windows Scheduler doesn't seem to allow scheduling on another machine. Do you know different ?

MSGeek - Enabling guest is not an option for our clients. The at script may be fired against hundreds or thousands of secure servers but the source computer would have administrator privelages.

Anyone got any ideas how to run an exe (which doesn't need installation) off lots of computers? The computers don't generally get rebooted, so registry-run and logon scripts is not an option. It seems that all such loopholes have been closed to stop viruses. I've tried things like createobject("wscript.shell", computername) in vbs but no luck.

Thanks


0
 
xassetsAuthor Commented:
Nick - Windows Scheduler doesn't seem to allow scheduling on another machine. Do you know different ?

MSGeek - Enabling guest is not an option for our clients. The at script may be fired against hundreds or thousands of secure servers but the source computer would have administrator privelages.

Anyone got any ideas how to run an exe (which doesn't need installation) off lots of computers? The computers don't generally get rebooted, so registry-run and logon scripts is not an option. It seems that all such loopholes have been closed to stop viruses. I've tried things like createobject("wscript.shell", computername) in vbs but no luck.

Thanks


0
 
MSGeekCommented:
Your not going to get around this issue of rights without there being a domain group you can place on the local workstations.  You know this is a rights issue, wisely you do not want to pass claer text passwords.  Unless you can outline a domain structure there is not much I can do to assist.
0
 
nick_sCommented:
Sorry XAssets, i guess i read through your post to quickly. You cannot schedule remote tasks with Windows Task Scheduler
0
 
oBdACommented:
Your problem is the UNC path that you start your program from. The at command runs in the system context which has no network privileges.
There are (at least) two ways around this (since under W2k, the task schedulers refuses to be run under a non system account [Q223170]):

* The most secure would probably be to first copy the program file to the target computers using the win scheduler with domain credentials and then start the program locally using at.exe \\servername 19:20 C:\Temp\aprogram.exe.

* The second way would be to make your share a null session share; check out http://support.microsoft.com/default.aspx?scid=KB;en-us;q124184 about your problem and how to create null session shares.
0
 
MSGeekCommented:
oBdA.. great advice, was wondering when you'd find this one, knew it was up your alley.  :)
0
 
xassetsAuthor Commented:
Thanks. Null session shares seem to require a change on every target machine - not really a good option when theres likely to be thousands of them.

Launching AT from a local server sounds like a good one, but I think the solution may be for the originating process to shell a new process under the administrator credentials. I'm not sure how to do this programmatically, will do some research today.

Another idea I had was...

1. Create an ole server in vb
2. Copy it to the hdd on each machine
3. use remote AT to register it with regsvr32
4. user a remote createobject to open it from the central server, then you have full control over the local box to run a program, shell other stuff, do scheduling, etc

will try this today.

I would also like to hear from anyone who knows how to force processes to run on another machine from a remote machine without any local configuration required.

0
 
xassetsAuthor Commented:
I have found a way of using WMI to create a process on another machine, which works great. However I still need a solution that will run on Win98 and NT4 computers which don't have WMI installed.

Any ideas?

0
 
oBdACommented:
Hi xassets,

Null session shares don't require changes on every target machine; it's the machine that hosts the share that is refusing the connection.
All you need to do is enter the name of the share on the fileserver in it's registry: Use regedt32 to go to HKLM\System\CurrentControlSet\Services\lanmanserver\parameters; edit the REG_MULTI_SZ entry and add the name of the share.
0
 
oBdACommented:
The last part of my last sentence would make a bit more sense if I'd mentioned the name of the REG_MULTI_SZ entry, which is, as you may have already guessed, "NullSessionShares".
0
 
xassetsAuthor Commented:
OK, We're going to offer NullSessionShares but need an alternative as some clients will be put off by anything that implies low security.

We really need the ability to shell a process on another box as administrator, without writing to that box's hard disk or changing the registry.
0
 
xassetsAuthor Commented:
Got null session shares working only after giving everyone and his dog access to the share, now I must refine permissions to find out the minimum necessary, and will post the result here and give some points out too.
0
 
xassetsAuthor Commented:
The minimum permissions were to add "ANONYMOUS LOGON" to the security settings for both the share and the directory that is shared.

Thanks

0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 9
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now