Pstools: Access Denied in a Domain Environment

After upgrading to a 7 VM at work, I was having trouble getting commands to authenticate on remote machines. After much trial and error, I realized some curious behaviour with . Obviously, when connecting to a remote machine, I would try to use the ‘-u’ switch to specify my administrative account, but would always get ‘access is denied’. Of course, all of the normal things should be checked: simple sharing turned off, $ADMIN share working… you know…

The issue was apparently that if I log into my workstation as a non-administrative user, but try to issue pstools commands as an administrator,  it fails because Microsoft wants me to log into my workstation and work logged with my domain admin account.

Take a look at this example using psexec:
On windows 7, running ‘cmd’ as your non-admin user, if you type in the command:

c:\Program Files (x86)\PsTools>psexec -u domain\domainadmin \\targetmachine cmd

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Password:
Could not start PsExec service on targetmachine:
Access is denied.

If you:

  1. Hit start
  2. Type “cmd”
  3. Hold down ‘shift’ and right-click on the ‘cmd’ in the start menu
  4. Select ‘run as different user’.
  5. Type in your administrative credentials. Use the same ones you will use in the psexec command.

Now you should have your command line window open. If you run the same command as earlier:

c:\Program Files (x86)\PsTools>psexec -u domain\domainadmin \\targetmachine cmd

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Password:

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>

Now you’re in!

2010
09/15
CATEGORY
windows
TAGS


9 comments
    • twdcmd
    • November 24th, 2010

    We experienced the same problem and discovered that if you add the user account running the pstools command to the administrators group of the remote machine, it will work.

    • rezaur
    • February 28th, 2011

    Sorry man not working for me :(

    • worked!
    • June 1st, 2011

    This works! thank you :)

    • Rahulsworld
    • July 23rd, 2011

    not workin :(

    • Sorry to hear that… Could you provide more detail?

    • mike
    • August 22nd, 2011

    That works!

    Thanks a lot :)

    • vishnu
    • October 10th, 2011

    That worked. Thanks a lot, I was banging my head trying to figure out the root cause for past 2 days.

    • Brad
    • November 29th, 2011

    I’ll see your credentials and raise you one :-) If you do the Shift+RightClick on the ‘CMD’ in the start box and enter the Local Administrator credentials for the target machine, you can leave off the PsExec -u and -p params altogether! Since I started using Ver. 1.98 I’m now including the -h param, and that lets me connect fine to a Win2K8,R2 or Win7 machine from XP, but it seems to have no effect whatsoever connecting FROM a Win2K8 or Win7 machine.

    BTW, I had my Network Engineers check and UAC is disabled on the target as well as on my Win7 PC where I’m executing from, so that’s no solution to this issue.

    Is there a way to automate that Shift+RightClick from the command-line? If so, I could modify my scripts to perform those additional steps when the target is either Win7, Win2K8, or (I assume) Win8.

    • Tailp
    • February 14th, 2012

    works perfectly!

    If you shift+right click CMD and then logon as a domain admin:

    psexec \\targetmachine /h cmd.exe

    would be sufficient. the /u value becomes completely irrelevant, since you’re already running the commandbox as an admin.

  1. No trackbacks yet.