CIT scan fails on Win2003 without admin rights

Usage and Config BFI
1

I need your suggestion and solution. I have a few Windows 2003 servers where SW and HW scan jobs are failing with error 8. After further investigated, if I logged in as a domain user ID with admin rights on a Windows 2003 server and manually executed these bat files below, it worked just fine.

“C:\Program Files\BigFix Enterprise\BES Client\LMT\CIT\runcit_tlm_hw.bat”
“C:\Program Files\BigFix Enterprise\BES Client\LMT\CIT\runcit_sw.bat”

If I logged in with another domain ID with no admin rights and executed the same bat files, I got a permission denied error.

So this indicated that error 8 is related to permission issue running the bat files.

Since the besclient serice is also defined to run as another domain ID which I believe that domain ID does not have permission to run bat files.

How can I utilize the override feature to get the SW and HW scan jobs to run as using a working domain ID.

I tried this one below and it failed.

override wait
runas=localuser
asadmin=true
user=INTL\johnA
password=required
wait “C:\Program Files\BigFix Enterprise\BES Client\LMT\CIT\runcit_tlm_hw.bat”

Any suggestions, Thanks.

2

Task failed as shown below.

Completed override wait
Failed runas=localuser
asadmin=true
user=INTL\johnA
password=required
wait “C:\Program Files\BigFix Enterprise\BES Client\LMT\CIT\runcit_tlm_hw.bat”

3

I’ve moved this to a topic separate from the “Tip” about running in user context.

I’m not sure what the options are on older clients that still run on Win2003, but I can say the OS is long unsupported and we’ve never supported running BESClient service as a domain account, especially one without local administrator rights. The BESClient service should be running as LocalSystem.

I think the way we impersonate user accounts with the ‘override’ options very likely depends on the “Act as part of the operating system” right that usually even Administrators don’t get, but which LocalSystem does.

I’m not sure what version of BESClient even ran on Win2003, but it’s probably lacking many of the newer ‘override’ options.

Short version, change the Service to run as LocalSystem.