Solved

Using PSExec with System Account on a logged off domain machine

Posted on 2015-01-27
8
344 Views
Last Modified: 2015-02-27
Hi Experts,
I’m looking for some assistance using PSExec (or a similar method) to trigger a remote command from a domain machine whilst it is in a logged off state (I.e. at the login screen).
Essentially, I am using OS deployment software (smartdeploy) to install a Win7 image on my domain PC, the software adds the PC to the domain, and leaves it at the login prompt – which is all fine.
The software gives me the option to run a command at first boot (using only the system account), when the machine is sitting at the login prompt.
I want to be able to use PSExec to trigger my application deployment software (PDQ Deploy) – something to this effect:

PSexec.exe \\PDQSERVER –accepteula –u username –p password Pdqdeploy.exe Deploy “PackageNameWhatever” %computername%

I’ve tested this and similar commands whilst logged into a machine and it works flawlessly – the command uses the computername variable to install the package directly to the PC, however have tried different combinations, tried to specify different credentials, parameters etc whilst the machine is logged off but no luck. Understand it is likely a permissions issue but not sure how I can get around it.

Hoping someone can provide some guidance or maybe an alternative approach. The two software packages work well together for OS and application deployment, however I would like to be able to automate the whole process and have our default application package install, as soon as the OS is deployed and the machine has joined the domain, got an IP address etc.

Cheers!
0
Comment
Question by:bl460c
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 40572449
Do you have a local admin account?
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40572653
Hi.

I think the problem is that the system account cannot impersonate anyone. Proof: If you start
psexec -s -i cmd
a shell running as system appears. Within that shell, try to use runas.exe to impersonate youruser and start notepad:
runas /user:domain\youruser notepad
You get
"RUNAS ERROR: Unable to run - notepad
5: Access is denied."
0
 

Author Comment

by:bl460c
ID: 40583275
Nagendra Pratap Singh - yes I have a local admin account (or I could create a specific local admin account for this purpose - how are you suggesting it could be used?) cheers
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 40583316
I would use a local admin account in the meantime.

Also check if your process is not blocked by UAC etc.

http://www.brandonmartinez.com/2013/04/24/resolve-access-is-denied-using-psexec-with-a-local-admin-account/
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40583356
Did you understand my comment? It's the reason for why it's not possible.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40634972
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40634973
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_28604512.html#a40572653 is the solution. It is a known fact that the system account does not offer to use impersonation, that's why it won't work for the asker.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question