What permissions do I need to use admin$ ?

[Guest]

I'm trying to mount admin$ of one of our NT Server machines onto my XP
machine. I do not have permissions to do so, but I can't find the permissions
I'd need.

admin$'s own permissions cannot be set (or so it appears) because "This has
been shared for administrative purposes. The permissions cannot be set."

So how do I get permissions?

Maury

 

[Kerry Brown]

I'm trying to mount admin$ of one of our NT Server machines onto my XP
machine. I do not have permissions to do so, but I can't find the
permissions I'd need.

admin$'s own permissions cannot be set (or so it appears) because
"This has been shared for administrative purposes. The permissions
cannot be set."

So how do I get permissions?

Maury

If in a domain you need domain admin permissions. If in a workgroup then you
must be a administrator on that machine.

Why would you want to mount admin$? I can't think of any reason to do this.
At best if you need temporary access you should use Start ==> Run ==>
\\server_name\c$ or whatever drive you need access to. If you need permanent
access to the root of a system drive then something is not right with your
overall network security plan.

Kerry

 

[Guest]

If in a domain you need domain admin permissions. If in a workgroup then you
must be a administrator on that machine.

It is on a domain, I am a domain admin of another domain. I am attempting to
add rights for those domain admins to have access to admin$.

Why would you want to mount admin$?

PsExec requires access to admin$. I'm not so much trying to mount it as
figure out why PsExec always gives me "access is denied". using net use
admin$ also gives me "access is denied". The two are almost certainly caused
by the same problem.

Maury

 

[Kerry Brown]

It is on a domain, I am a domain admin of another domain. I am
attempting to add rights for those domain admins to have access to
admin$.


PsExec requires access to admin$. I'm not so much trying to mount it
as figure out why PsExec always gives me "access is denied". using
net use admin$ also gives me "access is denied". The two are almost
certainly caused by the same problem.

Maury

You may need to specify an account that will work with the -u and -p
switches. See the following link for usage and axamples.

http://www.windowsitpro.com/Windows/Article/ArticleID/42919/42919.html

Alternatively you could logon as a domain admin in the same domain as the
server. Another method would be to logon as an Enterprise Admin. Obviously
running a program as an Enterprise Admin is a security risk that should be
avoided if at all possible. What are you trying to accomplish with psexec?

Kerry

 

[Leythos]

It is on a domain, I am a domain admin of another domain. I am attempting to
add rights for those domain admins to have access to admin$.

Don't add admin$, create shares they need to access and then set
permissions using the NORMAL method.

Also, if you are in one domain and the resource in another, you need to
setup a trust between the domains and create groups to apply permissions
to the resources.

You do NOT want to give users access to C$, ADMIN$ or other $ resources.

PsExec requires access to admin$. I'm not so much trying to mount it as
figure out why PsExec always gives me "access is denied". using net use
admin$ also gives me "access is denied". The two are almost certainly caused
by the same problem.

Not sure what PsExe is, but if you setup the TRUST between the domains
you should have no issues with this.

 

[Guest]

What are you trying to accomplish with psexec?

All I need to do is run a batch file. The batch file spawns an interactive
application that imports data into a db. The morons that wrote it included a
"batch mode", but it nevertheless displays both a splash screen as well as a
dialog box saying it's complete.

I have tried every possible tool I can think of...

"at" fails because the application appears to be setting the working
directory, which for some reason is not allowed. at runs as the logged in
user, which in this case is the admin.

rcmd fails because on this machine any attempt to run with "allow access to
desktop", which is required for an interactive app, fails with an error about
kernel32.dll failing to initialize. MS has a tech note on this error, but it
does not describe how to fix it in terms I can understand.

psexec fails as I mentioned, with an "Access is denied".

However, I have made progress with psexec. By simply using:

psexec \\server cmd

....with no user or pass I _was_ able to run cmd! However when I ran the
batch file in question, psexec never returns from the importer program. I
assume it is "frozen" waiting for the user to click something which is not
visible on the screen.

This shouldn't be this hard! Am I overlooking some other solution?

Maury

 

[Steven L Umbach]

Only an administrator can access that share which is full control access to
the systemroot folder and is hard coded by the operating system. If you have
a real need to do such then you will have to use credentials for a user
account that is an administrator on the target computer. If you do not need
full control then you can create your own share with the access needed.---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984&sd=tech ---
info on administrative shares

 

[Guest]

More playing, more progress...

Using PsExec I can now get cmd to run with the -i flag, which makes the
screen on the server. When I run my batch file I get a dialog saying "Error
attempting to set the system's working directory". Whoa, same error I get
when running "at".

Hmmm, maybe this is closer to working after all!

Maury

 

[Steven L Umbach]

You do not need to be a domain administrator unless the server in question
is a domain controller which the user did not clarify. While domain admins
global group is in the local administrators group of a domain computer by
default any domain user account can be added or the credentials of any user
in the local administrators group can be used including the built in
administrator account.. --- Steve

 

[Kerry Brown]

You do not need to be a domain administrator unless the server in
question is a domain controller which the user did not clarify. While
domain admins global group is in the local administrators group of a
domain computer by default any domain user account can be added or
the credentials of any user in the local administrators group can be
used including the built in administrator account.. --- Steve

Good point. That is probably the best option, to add the domain user account
to the local administrators group.

Kerry

 

[Kerry Brown]

All I need to do is run a batch file. The batch file spawns an
interactive application that imports data into a db. The morons that
wrote it included a "batch mode", but it nevertheless displays both a
splash screen as well as a dialog box saying it's complete.

I have tried every possible tool I can think of...

"at" fails because the application appears to be setting the working
directory, which for some reason is not allowed. at runs as the
logged in user, which in this case is the admin.

rcmd fails because on this machine any attempt to run with "allow
access to desktop", which is required for an interactive app, fails
with an error about kernel32.dll failing to initialize. MS has a tech
note on this error, but it does not describe how to fix it in terms I
can understand.

psexec fails as I mentioned, with an "Access is denied".

However, I have made progress with psexec. By simply using:

psexec \\server cmd

...with no user or pass I _was_ able to run cmd! However when I ran
the batch file in question, psexec never returns from the importer
program. I assume it is "frozen" waiting for the user to click
something which is not visible on the screen.

This shouldn't be this hard! Am I overlooking some other solution?

Maury

Did you see Steven L Umbach's post? Adding your domain account to the local
administrators group on the server might work.

It's been a long time since I used NT4 and I've never used psexec so I'm out
of ideas.

Kerry