SC.exe gives "Access Denied" when using pass-through account to non-domain Windows 2008 R2 Server
Hi,
Hopefully a simple one!
I have a .BAT file I use to query the services running on my servers, a mixture of W2K3, W2K8 and W2K8R2, mostly domain connected. The script simply parses a list of machine names and their service names then runs:
sc \\%1 query %2 | find "RUNNING"
and looks for an errorlevel. This works fine for all my domain servers (including W2K8R2).
The script is usually run in the context of a service account with Domain Admin rights.
I have a DNS server in the DMZ which is NOT domain connected. This server is W2K3 and has a second local administrator service account with the same credentials as the domain account - taking advantage of 'pass-through' to allow rights. This has worked perfectly so far.
I am migrating the services from this machine to a new one, in the same location, but using W2K8R2. Again this is NON-domain connected and I have added the same local administrator account and credentials as before.
The command sc \\mymachine query DNS fails with:
[SC] EnumQueryServicesStatus:Op
Access is denied.
I have successfully used
net use \\mymachine\ipc$ /user:mymachine\account password
to connect to the server, but it still refuses to pass the status of the DNS (or any other) service.
Note that the original W2K3 server is still working fully so this should negate any Firewall issues (esp. as both machines are in the same F/W groups).
Also note that when I use the mymachine\administrator account in the net use, the sc query does then work - so permissions on my second administrative account appear to be the issue.
I have seen some articles about Access Rights, some about changing details in Local Security Policy: Network Security: NTLM and the User Rights Assignment part and so on. I am cautious though as this server is Internet facing I only want to allow the minimum to query the services.
To be frank, I am a bit confused as to why this simple pass-through is failing, and I just want to query the server to find out if the services on it are still working OK.
Any ideas?
Thanks Andy.
Hopefully a simple one!
I have a .BAT file I use to query the services running on my servers, a mixture of W2K3, W2K8 and W2K8R2, mostly domain connected. The script simply parses a list of machine names and their service names then runs:
sc \\%1 query %2 | find "RUNNING"
and looks for an errorlevel. This works fine for all my domain servers (including W2K8R2).
The script is usually run in the context of a service account with Domain Admin rights.
I have a DNS server in the DMZ which is NOT domain connected. This server is W2K3 and has a second local administrator service account with the same credentials as the domain account - taking advantage of 'pass-through' to allow rights. This has worked perfectly so far.
I am migrating the services from this machine to a new one, in the same location, but using W2K8R2. Again this is NON-domain connected and I have added the same local administrator account and credentials as before.
The command sc \\mymachine query DNS fails with:
[SC] EnumQueryServicesStatus:Op
Access is denied.
I have successfully used
net use \\mymachine\ipc$ /user:mymachine\account password
to connect to the server, but it still refuses to pass the status of the DNS (or any other) service.
Note that the original W2K3 server is still working fully so this should negate any Firewall issues (esp. as both machines are in the same F/W groups).
Also note that when I use the mymachine\administrator account in the net use, the sc query does then work - so permissions on my second administrative account appear to be the issue.
I have seen some articles about Access Rights, some about changing details in Local Security Policy: Network Security: NTLM and the User Rights Assignment part and so on. I am cautious though as this server is Internet facing I only want to allow the minimum to query the services.
To be frank, I am a bit confused as to why this simple pass-through is failing, and I just want to query the server to find out if the services on it are still working OK.
Any ideas?
Thanks Andy.
ASKER
Sorry serchlop this didn't work. Got:
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Couldn't access 192.168.0.1:
Access is denied.
I assume it's the same issue - i.e. some sort of remote access permissions.
I am unhappy with using a username and password in a batch script too, partly for security reasons and partly because the command I mentioned is part of a loop, which uses the implicit permissions inherited from the scheduled task permissions, therefore requiring a separate piece of code just for this machine.
What i think i'm looking for is a Windows 2008 specific 'hack' which will reduce the security on the stand-alone machine in just the area of the Service Control Manager.
Andy
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Couldn't access 192.168.0.1:
Access is denied.
I assume it's the same issue - i.e. some sort of remote access permissions.
I am unhappy with using a username and password in a batch script too, partly for security reasons and partly because the command I mentioned is part of a loop, which uses the implicit permissions inherited from the scheduled task permissions, therefore requiring a separate piece of code just for this machine.
What i think i'm looking for is a Windows 2008 specific 'hack' which will reduce the security on the stand-alone machine in just the area of the Service Control Manager.
Andy
Another way to verify that DNS is working and you don't need to provide a user is
nslookup www.hotmail.com ipofyourdnsserver | find "No response from server"
this will verify that your dns server is responding queries for name resolution.
You can modify find with a text that you want, maybe do the reverse check.
nslookup www.mydomain.com ipofyourdnsserver | find "ipofyourwww.mydomain.com"
nslookup www.hotmail.com ipofyourdnsserver | find "No response from server"
this will verify that your dns server is responding queries for name resolution.
You can modify find with a text that you want, maybe do the reverse check.
nslookup www.mydomain.com ipofyourdnsserver | find "ipofyourwww.mydomain.com"
ASKER
OK, that works. If I enable DNS through the firewall and only look for my domain on that server (recursion is disabled so won't answer any other domain) it gives me enough back to check if it's working or not.
It means I can only check for the DNS service though - what do I do about checking AntiVirus, Windows Time, Backups and Server services?
It means I can only check for the DNS service though - what do I do about checking AntiVirus, Windows Time, Backups and Server services?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solution found outside of this forum, updating for others to benefit.
for example
psexec \\192.168.0.1 -u localserver\administrator -p localserverpassword sc query service | find "RUNNING"
This should work