/build/static/layout/Breadcrumb_cap_w.png
05/30/2017 1109 views
Hi, 

I trying to provisioning Agent to some Windows Server using Domain Admin user. 

STEP 2: AUTHENTICATION - SUCCESSFUL

      Opening pipe to service
      IN: pipe_open(\KBRemoteService, 7098287)
      Sending commands
      Commands: //ssk1000.sampoernastrategic.com/client/agent_provisioning/windows_platform/agent_msi_provision.bat ssk1000.sampoernastrategic.com client ampagent-7.1.62-x86.msi ssk1000.sampoernastrategic.com
      Sending login credentials
      Login: SAMSTRATEGIC\srv.ssbackup
      process (//ssk1000.sampoernastrategic.com/client/agent_provisioning/windows_platform/agent_msi_provision.bat ssk1000.sampoernastrategic.com client ampagent-7.1.62-x86.msi ssk1000.sampoernastrategic.com) 
      could not be launched: 5 Access is denied.
      (authenticated, but CreateProcessAsUser failed)process (//ssk1000.sampoernastrategic.com/client/agent_provisioning/windows_platform/agent_msi_provision.bat ssk1000.sampoernastrategic.com 
      client ampagent-7.1.62-x86.msi ssk1000.sampoernastrategic.com) could not be launched as LocalSystem: 5 Access is denied.
      OpenService - NT_STATUS_OK
      StopService - NT_STATUS_OK
      DeleteService - NT_STATUS_OK
      CloseServiceHandle - NT_STATUS_OK
      CloseSCMHandle - NT_STATUS_OK
      Connecting to ADMIN$
      Deleting service file
      Disconnecting ADMIN$

  STEP 3: PUSH SCRIPT\PROVISIONING - FAILED

  [05/30/17 01:51:23 PM] End of remote communications. 
  [05/30/17 01:51:23 PM] End provisioning run.

Then I try to install it using Local Admin user to some of these Servers, and it success. Looking at agent_msi_provision.bat it is seems the installer is accessing %WINDIR%\temp which is my Domain Admin do not have permission to access it.
So i suspecting this as the cause of the error, am i right? If so, how to override it to use more general folder like %APPDATA% instead %WINDIR%\temp?

Thanks
2 Comments   [ + ] Show comments

Comments

  • I would always prefer to provision via GPO rather than from the KBOX itself (too many requirements).

    https://support.quest.com/kace-systems-management-appliance/kb/133776
    • Can GPO Tools target only one computer only? We are doing a demo so only certain computers need to be installed not all of them.
  • I am also having this issue. I agree that GPO is the way to go, but due to circumstances beyond my control I need to make this work at least for a few PCs.

    Does anyone have thoughts on what might fix this? I checked the event viewer and monitored the tasks on the target PC during the attempt. It doesn't even look like the install reaches the target PC.

    (authenticated, but CreateProcessAsUser failed)process (//k1000.mydomain.com/client_2/agent_provisioning/windows_platform/agent_msi_provision.bat k1000.mydomain.com client_2 ampagent-7.1.62-x86.msi k1000.mydomain.com) could not be launched as LocalSystem: 5 Access is denied.

There are no answers at this time