Windows Server 2008 - can not run .exe file

Hello,

I am using remote desktop to connect to windows server. With guest account I can not run .exe files -> but I need just this. Other restrictions on guest account are OK with me, but I need to run one particular exe file. When I click on it (logged as guest), nothing happens. I don't see nothing in logs, too. I've set full control (right click -> security) for this .exe file and particular user name, but still can not run it.

Any idea?

Greetings, Frenky
AntonioRodrigoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kruno DžoićSystem EngineerCommented:
shift & mouse right clik, run as ?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AntonioRodrigoAuthor Commented:
@M3rc74 I can't do this because I'm logged in as guest - If I choose run as administrator, then I'll have to provide user name / password.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Kruno DžoićSystem EngineerCommented:
can you add *.exe in remote desktop client, Start the following program on connection ??
Justin OwensITIL Problem ManagerCommented:
AntonioRodrigo,

Your desire is mutually exclusive.  Guest accounts on servers are intentionally highly restricted.  You should not connect to a server with RDP as Guest, ever.  Why are you needing to do this?  A better scenario would be this:

1) In a domain scenario, have the users log in with proper AD credentials

or

2) In a stand alone scenario, create a local account on the server, give it RDP Rights, and lock it down to run only your one APP but nothing else.

Either way, using the Guest account in this way is just bad juju.

DrUltima
AntonioRodrigoAuthor Commented:
DrUltima,

thanks a lot for your answer. It seems very logical to me. I've just done what I know about Windows Server and this ain't much )) Can you please help me a little bit more? How to create a new user and give him a permission to only open one particular .exe file? At least if you can show me how would you start solving a problem like this?
Justin OwensITIL Problem ManagerCommented:
A little more info, please.  Is your server a stand alone or is it a member server in a domain?  I ask because it can (though not necessarily must) affect how you proceed with local accounts (depending on GPO).
AntonioRodrigoAuthor Commented:
It's a stand alone server. Basically it's like that: there is a server and inside that server we bought 100GB space. Inside that I've installed Windows Server through VMWare client. So my server runs inside virtual machine. But now (it's easier) I am accessing server through remote desktop. And inside that virtual machine / my installation of windows server I've created a domain. So every user I create is inside that domain.
DavidPresidentCommented:
A few outside-the-box possibilities, it would help if you said exactly what this executable is, and what the O/S returns.  Clearly the program has logic in there that behaves differently depending on user privileges.  Don't discount the possibility that the developer just screwed up and didn't design it properly so it will never run this way.   Probably no reason to go through all the Win API calls that deal with inherited, runAs, GPO, and even hardware permissions .. suffice to say, I'd step back and research if the program is known to even work the way you want it to.
matrixnzCommented:
Is the file saved to a trusted location? example: C:\Program Files\Product Folder\Filename.exe
Does the file require privileged rights to run?
nb: some executables can have a RunAsAdmin embedded meaning the program requires elevation to be run.  This can also happen if it attempts to open or call Group Policy blocked programs RegEdit, CMD etc..
What happens if you select "Run as Administrator" does it work as intended?
Justin OwensITIL Problem ManagerCommented:
How many concurrent uses of this application might exist?  Do you need it to be able to run multiple times simultaneously, or is it a "one user at a time" type scenario?

DrUltima
AntonioRodrigoAuthor Commented:
@matrixnz:
- program is saved in C:\myfolder location.
- if I run the program with 'run as administrator' it runs. But - I wasn't setting anything on that matter. Where is the setting for privileged rights for running the program?


@DrUltima:
- This program will be run by only one user at a time. Each user will have it's own copy of the program.
AntonioRodrigoAuthor Commented:
Basically it will be like this: every user will have it's own instance of the .exe file and only one (his own) folder on which he will have read/write rights. Otherwise users will not have rights to run programs or to view / write on the file system.
AntonioRodrigoAuthor Commented:
This is really strange: if I check the properties of my .exe file, the user test1 has full control checked and allowed. But, still it can not run that .exe file.

I can only run that .exe in 'run as administrator' mode. But, my users will not have administrator rights, because they are not allowed to see system files and other stuff.
AntonioRodrigoAuthor Commented:
I've created a rule in the AppLocker, but with no result - I still can not run .exe if I am logged in as normal user, other than administrator.

I was using:

http://technet.microsoft.com/en-us/library/ee791814(v=ws.10).aspx

and for rule enforcements (strangelly, AppLocker's logs are empty):

http://technet.microsoft.com/en-us/library/ee791885(v=ws.10).aspx
matrixnzCommented:
1. Try saving it to C:\Program Files\ or into %UserProfile%\MyFolder The C:\MyFolder isn't a trusted folder
2. If each user is having there own executable than you should be placing it inside the profile folder.
3. With regards to the privleged rights, these are usually embedded into the executable code.
DavidPresidentCommented:
I don't see any problem at all.  The program runs under administrative rights, as stated by the author.   Some programs require such rights because they access system resources which can cause security issues.  Seems to me you are complaining that the O/S protects you from programs that can do bad things when run as a guest.
AntonioRodrigoAuthor Commented:
@matrixnz: I've place my executable in Program Files, Program Files (x86) and inside %UserProfile%. And I've created a rule in AppLocker for each of the folder mentioned. Same result, I can not run exe file.

'With regards to the privleged rights, these are usually embedded into the executable code.'

Is there a way to see who has rights to run executable?

@dlethe: I don't run as a guest. I'm logged in as a normal user. Yes, program runs under 'run as administrator'. Is there a way to remove this?
DavidPresidentCommented:
No, there is no way to remove "run as administrator" constraints.  All the techniques revolve around giving administrative privileges.    It is like asking how can you allow a guest user to delete every file on the computer or any other computer regardless of permissions.  Some low-level system functions require extended privileges.  This is for your protection, and the protection of other users and the data.  If you don't like that, then just give everybody admin privs, and while you are at it, make passwords optional.
AntonioRodrigoAuthor Commented:
Yes, but AppLocker gives possiblity to create some rules. I've added a rule through local policy and set path for the executable files - so, files in these folder can be run by the user on which rule is applied -> the only problem is that it doesn't work. In theory everything is cool.
matrixnzCommented:
Usually it's just set to Require Administrator, this is usually set to get elevated privileges or the UAC Prompt, without knowing what the executable is, all I can suggest is that it requires elevated privileges to run, this can be because the executable requires write access to System Registry or File/Folders for example: HKEY_LOCAL_MACHINE, C:\, C:\Windows\ etc....
Justin OwensITIL Problem ManagerCommented:
If the application is requiring administrative rights, then it is touching a secure area of the server, as the other Experts have pointed out.  Also, as has been pointed out, you will have to reduce restrictions to allow this to run, which is a bad idea. One rather tedious alternative is to contact the vendor of the application to see what restricted files/keys are being access and then changing the permissions on just those files/keys.  Remember, to run an application on a Terminal Server, it needs to be designed to do so.  It doesn't sound like your application is.  It would be helpful to know the name of the application you are trying to run.

DrUltima
AntonioRodrigoAuthor Commented:
The company I work in (and me as a developer) are authors of the application. Should we modify application to run on terminal services? It is made to be desktop application.
matrixnzCommented:
So what language are you writing the application in?  Does the application require access to System Resources? i.e. HKLM, HKCR or C:\Program Files\ etc... Is it calling an application that requires elevated privileges?  I'm not sure why you would have separate executables for each user, generally you'd use one executable and the executable would determine where the data is saved.  Can you explain what the application does?
AntonioRodrigoAuthor Commented:
The application connects with sql server database -> it reads and writes data to sql server. Also, app is opening some word documents and fills them with data (word templates with bookmarks). Basically, it is one exe and one dll file - exe for running needs this dll, because in it are custom made controls. The applications simplifies public ordering.
Justin OwensITIL Problem ManagerCommented:
Does the local policy on the server restrict any activity for authorized TS connections?
AntonioRodrigoAuthor Commented:
Not to my knowledge.... this is so strange to me: I can run this exe as administrator, but I can not run it as normal user. Permissions on the folder are for that user (full control) and even for 'everybody'.
Justin OwensITIL Problem ManagerCommented:
Folder permissions are only part of the mix.  As has been mentioned above, your user will also need access to any system level files and folders used and registry keys used.  It could be as simple as the C:\Windows\Temp folder (instead of the app using %TEMP%).  Logged in as that user (non-admin), can you run an RSOP and let us know the outcome?
AntonioRodrigoAuthor Commented:
I've tried: run - cmd - and the type rsop.msc - it wants administrative password to run this program.
matrixnzCommented:
The problem is probably the .dll file try this register the .dll as admin and then try run the .exe by default you need elevated privileges to register a .dll.  I had similar issue recently on Windows 2008 R2 writing an rtf using a third party .dll file, standard users weren't able to load the .dll so the rtf creation failed, everything else in the file worked without issue, it was only when I called the .dll that it failed.  On Windows XP it worked fine.
AntonioRodrigoAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.