Windows Server 2008 - can not run .exe file

shift & mouse right clik, run as ?

@M3rc74 I can't do this because I'm logged in as guest - If I choose run as administrator, then I'll have to provide user name / password.

can you add *.exe in remote desktop client, Start the following program on connection ??

AntonioRodrigo,

Your desire is mutually exclusive.  Guest accounts on servers are intentionally highly restricted.  You should not connect to a server with RDP as Guest, ever.  Why are you needing to do this?  A better scenario would be this:

1) In a domain scenario, have the users log in with proper AD credentials

or

2) In a stand alone scenario, create a local account on the server, give it RDP Rights, and lock it down to run only your one APP but nothing else.

Either way, using the Guest account in this way is just bad juju.

DrUltima

DrUltima,

thanks a lot for your answer. It seems very logical to me. I've just done what I know about Windows Server and this ain't much )) Can you please help me a little bit more? How to create a new user and give him a permission to only open one particular .exe file? At least if you can show me how would you start solving a problem like this?

A little more info, please.  Is your server a stand alone or is it a member server in a domain?  I ask because it can (though not necessarily must) affect how you proceed with local accounts (depending on GPO).

It's a stand alone server. Basically it's like that: there is a server and inside that server we bought 100GB space. Inside that I've installed Windows Server through VMWare client. So my server runs inside virtual machine. But now (it's easier) I am accessing server through remote desktop. And inside that virtual machine / my installation of windows server I've created a domain. So every user I create is inside that domain.

A few outside-the-box possibilities, it would help if you said exactly what this executable is, and what the O/S returns.  Clearly the program has logic in there that behaves differently depending on user privileges.  Don't discount the possibility that the developer just screwed up and didn't design it properly so it will never run this way.   Probably no reason to go through all the Win API calls that deal with inherited, runAs, GPO, and even hardware permissions .. suffice to say, I'd step back and research if the program is known to even work the way you want it to.

How many concurrent uses of this application might exist?  Do you need it to be able to run multiple times simultaneously, or is it a "one user at a time" type scenario?

DrUltima

@matrixnz:
- program is saved in C:\myfolder location.
- if I run the program with 'run as administrator' it runs. But - I wasn't setting anything on that matter. Where is the setting for privileged rights for running the program?


@DrUltima:
- This program will be run by only one user at a time. Each user will have it's own copy of the program.

Basically it will be like this: every user will have it's own instance of the .exe file and only one (his own) folder on which he will have read/write rights. Otherwise users will not have rights to run programs or to view / write on the file system.

This is really strange: if I check the properties of my .exe file, the user test1 has full control checked and allowed. But, still it can not run that .exe file.

I can only run that .exe in 'run as administrator' mode. But, my users will not have administrator rights, because they are not allowed to see system files and other stuff.

I've created a rule in the AppLocker, but with no result - I still can not run .exe if I am logged in as normal user, other than administrator.

I was using:

http://technet.microsoft.com/en-us/library/ee791814(v=ws.10).aspx

and for rule enforcements (strangelly, AppLocker's logs are empty):

http://technet.microsoft.com/en-us/library/ee791885(v=ws.10).aspx

1. Try saving it to C:\Program Files\ or into %UserProfile%\MyFolder The C:\MyFolder isn't a trusted folder
2. If each user is having there own executable than you should be placing it inside the profile folder.
3. With regards to the privleged rights, these are usually embedded into the executable code.

I don't see any problem at all.  The program runs under administrative rights, as stated by the author.   Some programs require such rights because they access system resources which can cause security issues.  Seems to me you are complaining that the O/S protects you from programs that can do bad things when run as a guest.

@matrixnz: I've place my executable in Program Files, Program Files (x86) and inside %UserProfile%. And I've created a rule in AppLocker for each of the folder mentioned. Same result, I can not run exe file.

'With regards to the privleged rights, these are usually embedded into the executable code.'

Is there a way to see who has rights to run executable?

@dlethe: I don't run as a guest. I'm logged in as a normal user. Yes, program runs under 'run as administrator'. Is there a way to remove this?

No, there is no way to remove "run as administrator" constraints.  All the techniques revolve around giving administrative privileges.    It is like asking how can you allow a guest user to delete every file on the computer or any other computer regardless of permissions.  Some low-level system functions require extended privileges.  This is for your protection, and the protection of other users and the data.  If you don't like that, then just give everybody admin privs, and while you are at it, make passwords optional.

Yes, but AppLocker gives possiblity to create some rules. I've added a rule through local policy and set path for the executable files - so, files in these folder can be run by the user on which rule is applied -> the only problem is that it doesn't work. In theory everything is cool.

Usually it's just set to Require Administrator, this is usually set to get elevated privileges or the UAC Prompt, without knowing what the executable is, all I can suggest is that it requires elevated privileges to run, this can be because the executable requires write access to System Registry or File/Folders for example: HKEY_LOCAL_MACHINE, C:\, C:\Windows\ etc....

If the application is requiring administrative rights, then it is touching a secure area of the server, as the other Experts have pointed out.  Also, as has been pointed out, you will have to reduce restrictions to allow this to run, which is a bad idea. One rather tedious alternative is to contact the vendor of the application to see what restricted files/keys are being access and then changing the permissions on just those files/keys.  Remember, to run an application on a Terminal Server, it needs to be designed to do so.  It doesn't sound like your application is.  It would be helpful to know the name of the application you are trying to run.

DrUltima

The company I work in (and me as a developer) are authors of the application. Should we modify application to run on terminal services? It is made to be desktop application.

So what language are you writing the application in?  Does the application require access to System Resources? i.e. HKLM, HKCR or C:\Program Files\ etc... Is it calling an application that requires elevated privileges?  I'm not sure why you would have separate executables for each user, generally you'd use one executable and the executable would determine where the data is saved.  Can you explain what the application does?

The application connects with sql server database -> it reads and writes data to sql server. Also, app is opening some word documents and fills them with data (word templates with bookmarks). Basically, it is one exe and one dll file - exe for running needs this dll, because in it are custom made controls. The applications simplifies public ordering.

Does the local policy on the server restrict any activity for authorized TS connections?

Not to my knowledge.... this is so strange to me: I can run this exe as administrator, but I can not run it as normal user. Permissions on the folder are for that user (full control) and even for 'everybody'.

Folder permissions are only part of the mix.  As has been mentioned above, your user will also need access to any system level files and folders used and registry keys used.  It could be as simple as the C:\Windows\Temp folder (instead of the app using %TEMP%).  Logged in as that user (non-admin), can you run an RSOP and let us know the outcome?

I've tried: run - cmd - and the type rsop.msc - it wants administrative password to run this program.

The problem is probably the .dll file try this register the .dll as admin and then try run the .exe by default you need elevated privileges to register a .dll.  I had similar issue recently on Windows 2008 R2 writing an rtf using a third party .dll file, standard users weren't able to load the .dll so the rtf creation failed, everything else in the file worked without issue, it was only when I called the .dll that it failed.  On Windows XP it worked fine.

I've used Process Monitor, from my other post:

https://www.experts-exchange.com/questions/27738516/Windows-Server-logging-blocked-execution-of-the-exe-file.html