PsExec& Windows Server 2008:权限和权限身份验证问题
我正在编写一个应用程序,可以帮助我将应用程序自动部署到我的 Windows Server 2008 计算机上。作为此过程的一部分,我需要从我的测试机远程启动和停止 2008 服务器上的 IIS 网站。
从我的 2008 机器的范围来看,我正在使用:
C:\Windows\System32\inetsrv\appcmd.exe stop site "MyWebsite"
如果我只是从命令提示符运行该命令,则该命令不起作用。返回的错误是:
错误(消息:W3SVC 服务不可用 - 请先尝试启动该服务。)
但是,如果我通过“以管理员身份运行”使用命令提示符,这确实有效。很好&花花公子,但我需要能够从另一台机器上运行它。使用域帐户(被视为管理员),从我的测试(非 2008)机器的角度来看,我的 PsExec 命令变为以下内容:
"C:\Program Files\PSTools\psexec.exe" \\my2008machine -u domainuser -p password C:\Windows\System32\inetsrv\appcmd.exe stop site "MyWebsite"
PsExec 启动、运行和退出,提供与上面所示相同的错误:就像好像我在我的 2008 机器上从命令提示符运行了这个命令 - 没有 - “以管理员身份运行”。
Windows 防火墙已关闭,我已按照其他地方的建议设置了“LocalAccountTokenFilterPolicy”,但我没有主意了。知道如何解决这个问题或解决它吗?
I'm writing an application that helps me auto-deploy my applications to my Windows Server 2008 machines. As apart of this process, I need remotely start and stop IIS websites on my 2008 servers from my test machine.
From the scope of my 2008 machine, I'm using:
C:\Windows\System32\inetsrv\appcmd.exe stop site "MyWebsite"
This command does NOT work if I simply run it from the command prompt. The error returned is:
ERROR ( message:The W3SVC service is not available - try starting the service first. )
However this DOES work if I use the command prompt via "Run as Administrator". That's fine & dandy, but I need to be able to run this from another machine. Using a domain account (that is considered an Administrator), my PsExec commaned becomes the following from the perspective of my test (non-2008) machine:
"C:\Program Files\PSTools\psexec.exe" \\my2008machine -u domainuser -p password C:\Windows\System32\inetsrv\appcmd.exe stop site "MyWebsite"
PsExec starts, runs, and exits providing the same error as seen above: just like as if I had run this command from the command prompt -without- "Run as Administrator" on my 2008 machine.
Windows Firewall is turned off, I've set a 'LocalAccountTokenFilterPolicy' as suggested elsewhere, and I'm out of ideas. Any idea how to fix this or work around it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
使用域管理员帐户(从 2003 R2 --> 2008 R2)在同一域中的计算机之间传输的此问题已得到解决。这是通过更改“本地安全策略”-->“本地策略”-->“安全选项”下的 UAC 设置来完成的。我相信这是“在管理员批准模式下运行所有管理员”设置,并且需要重新启动。
然而,跨域边界时仍然存在一个突出的问题:使用相同的域管理用户并针对 2008 R2 服务器,PsExec 返回“访问被拒绝”错误。
This issue has been resolved going between machines in the same domain using a domain administrator account (from 2003 R2 --> 2008 R2). This was accomplished by changing UAC settings under the Local Security Policy-->Local Policies-->Security Options. I believe it was a "Run all administrators in Admin Approval mode" setting, and required a reboot.
However, there is still an outstanding issue when crossing the domain boundary: using the same domain administrative user and targeting a 2008 R2 server, PsExec returns an "Access Denied" error.
我在尝试以静默方式 msiexec 本地安装包时遇到了类似的问题(返回错误代码 1603),并且能够使用 -h 标志来解决该问题。来自帮助:
使用 PsExec v1.98。目标服务器是全新安装的 Server 2008 R2,启用了 UAC 并禁用了防火墙。
I ran into a similar issue attempting to msiexec a local install package silently (returned error code 1603) and was able to get around it with the -h flag. From the help:
Using PsExec v1.98. Target server is a clean install of Server 2008 R2 with UAC enabled and Firewall disabled.