05/30/2017 1366 views

I trying to provisioning Agent to some Windows Server using Domain Admin user. 


      Opening pipe to service
      IN: pipe_open(\KBRemoteService, 7098287)
      Sending commands
      Commands: //ssk1000.sampoernastrategic.com/client/agent_provisioning/windows_platform/agent_msi_provision.bat ssk1000.sampoernastrategic.com client ampagent-7.1.62-x86.msi ssk1000.sampoernastrategic.com
      Sending login credentials
      Login: SAMSTRATEGIC\srv.ssbackup
      process (//ssk1000.sampoernastrategic.com/client/agent_provisioning/windows_platform/agent_msi_provision.bat ssk1000.sampoernastrategic.com client ampagent-7.1.62-x86.msi ssk1000.sampoernastrategic.com) 
      could not be launched: 5 Access is denied.
      (authenticated, but CreateProcessAsUser failed)process (//ssk1000.sampoernastrategic.com/client/agent_provisioning/windows_platform/agent_msi_provision.bat ssk1000.sampoernastrategic.com 
      client ampagent-7.1.62-x86.msi ssk1000.sampoernastrategic.com) could not be launched as LocalSystem: 5 Access is denied.
      OpenService - NT_STATUS_OK
      StopService - NT_STATUS_OK
      DeleteService - NT_STATUS_OK
      CloseServiceHandle - NT_STATUS_OK
      CloseSCMHandle - NT_STATUS_OK
      Connecting to ADMIN$
      Deleting service file
      Disconnecting ADMIN$


  [05/30/17 01:51:23 PM] End of remote communications. 
  [05/30/17 01:51:23 PM] End provisioning run.

Then I try to install it using Local Admin user to some of these Servers, and it success. Looking at agent_msi_provision.bat it is seems the installer is accessing %WINDIR%\temp which is my Domain Admin do not have permission to access it.
So i suspecting this as the cause of the error, am i right? If so, how to override it to use more general folder like %APPDATA% instead %WINDIR%\temp?

2 Comments   [ + ] Show comments


  • I would always prefer to provision via GPO rather than from the KBOX itself (too many requirements).

    • Can GPO Tools target only one computer only? We are doing a demo so only certain computers need to be installed not all of them.
  • I am also having this issue. I agree that GPO is the way to go, but due to circumstances beyond my control I need to make this work at least for a few PCs.

    Does anyone have thoughts on what might fix this? I checked the event viewer and monitored the tasks on the target PC during the attempt. It doesn't even look like the install reaches the target PC.

    (authenticated, but CreateProcessAsUser failed)process (//k1000.mydomain.com/client_2/agent_provisioning/windows_platform/agent_msi_provision.bat k1000.mydomain.com client_2 ampagent-7.1.62-x86.msi k1000.mydomain.com) could not be launched as LocalSystem: 5 Access is denied.

There are no answers at this time