RunAs a domain admin user

ifreeman 2023-02-13 20:37:14 UTC #1

I’m trying to get this fixlet to run using a domain admin user. Even though I’m putting the password in correctly, I get the following error : Command failed (RunAsLocalUser failed to logon: 1385) wait (action:222350)

Depending on the different ways i have tried to run this, I have also received this error:
Command failed (Override keyword is unknown for this command.) override (action:222340)

Can anyone point me in the right direction for running this as a domain user?

action uses wow64 redirection {not x64 of operating system}

prefetch 97d34a9be17e48bb5f4258515a2f8e23551f89d2 sha1:97d34a9be17e48bb5f4258515a2f8e23551f89d2 size:324 http://BES-VA.[REDACTED]:52311/Uploads/97d34a9be17e48bb5f4258515a2f8e23551f89d2/Oracle12cExport.bat.tmp sha256:14df86c7d8b7117d8a45f618c6e9c422044c60feeab8fbf9a22881aaf5df2432
extract 97d34a9be17e48bb5f4258515a2f8e23551f89d2

override wait
runas=localuser
user=ids\admin
password=required
asadmin=true
wait “{pathname of system folder & “\cmd.exe”}” /Q /C “{(pathname of client folder of current site) & “__Download\Oracle12cExport.bat”}”

JasonWalker 2023-02-13 22:16:32 UTC #2

My post at Tip - Action Override User settings may be helpful, but those options look correct to me (looks like the last example I have on that page).

Error 1385 in particular maps to “The user has not been granted the requested logon type at this computer”, which means the password is correct but the account is not allowed to log on. I’m actually not sure whether we are triggering an Interactive or Batch type logon with our overrides.

Best-practices are that a Domain Admin should not be granted logons to workstations. You might need to check with your AD team to see what account you should use for admin access on workstations, or you may need to set up a new AD account with local Admin rights to the machine.

ifreeman 2023-02-14 13:37:02 UTC #3

Thanks. The batch file that is being run needs to be run as a domain admin. Also, the machines that I need to run this on are servers and not workstations. I am the AD team and this account has local admin rights to all the servers.

I actually used that post that you linked in order to write this fixlet. Great post and very useful information . For now, I will just keep trying different ways to get it to work. At one point the fixlet successfully ran to completion but it did not appear to run the script

JasonWalker 2023-02-14 13:44:06 UTC #4

I’d check the Local Security Policy \ User Rights Assignments on one of the servers, in particular “Allow log on locally”, “Deny log on locally”, “Log on As a batch job”, and “Deny logon as a batch job”.

For testing the security policy, it’s probably easiest to log on to the server with your account, and then use “Run As” to try to launch a command prompt as the service account/admin account that you’re using here - if it’s a security policy issue, that login should be rejected too.

ageorgiev 2023-02-14 13:51:06 UTC #5

As Jason, mentioned what you have seems to be accurate. Here is an example that I have that works:

action uses wow64 redirection {not x64 of operating system}

parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry}"

override wait
Hidden=true
Completion=none
runas=localuser
asadmin=true
user=DOMAIN\user
password=required
wait "{parameter "PowerShellexe"}" -executionpolicy bypass -command "cd 'c:\path'; .\script.ps1 parameter1 parameter2"

One thing I would recommend is to test your user locally outside of BigFix. Login to the machine that is erroring with another user, use runas and make sure that the account is ok. Windows permissions are a bit “funny” sometimes - you may have Admin rights but if you attempt to configure a service to run with that account for the first time it still attempts to give the account ability to start services explicitly, so make sure whatever the tool/script you attempt to package does run ok with a different account and then continue with attempts to try to package it… If it’s not working outside of BigFix, you won’t get it working through BigFix…

ifreeman 2023-02-14 21:38:15 UTC #6

Thanks. The account does work outside of Bigfix.

ifreeman 2023-02-14 21:41:07 UTC #7

Thanks for the tip. the user has log on as a batch job and log on locally rights.

ifreeman 2023-02-15 19:27:44 UTC #8

My logon error has been resolved. Now i’m receivng an exit code 1 when trying to run the batch file. do you have any tips for troubleshooting this issue? I can run the batch file manually with no issue. when running the batch file manually, it launches a second command window. Could that be the issue? My new script is shown below:

delete __createfile
delete c:\scripts\12cExport.bat

createfile until __EOF
set ORACLE_SID=dcsdb1
set ORACLE_HOME=C:\oracle\product\12.1.0\dbhome_1
cd C:\oracle\product\12.1.0\dbhome_1\bin
start expdp user/password schemas=dcsdba directory=EXPDIR dumpfile=(IDSPRODP1_011923%U.DMP,IDSPRODP2_011923%U.DMP,IDSPRODP3_011923%U.DMP,IDSPRODP4_011923%U.dmp) logfile=IDSPROD_011923.log FILESIZE=2G PARALLEL=32
__EOF
move __createfile c:\scripts\12cExport.bat

JasonWalker 2023-02-15 19:30:34 UTC #9

Is that a copy/paste error, or did you duplicate “c:\scripts\c:\scripts” on the wait line?

ageorgiev 2023-02-16 08:29:26 UTC #10

You have “c:\scripts” twice in the same path. If that’s how you have it in the actionscript it would cause Exit Code =1 (generally, means incorrect path)

ifreeman 2023-02-16 13:08:36 UTC #11

it’s definitely an error. Thanks! I couldn’t see that to save my life

ifreeman 2023-02-16 13:09:40 UTC #12

Thank you for catching my error! I probably would’ve never noticed it. Fingers crossed it will work once i fix that

ifreeman 2023-02-16 13:18:18 UTC #13

I’m still getting Exit Code1 after correcting the path. Can you see any other silly mistake that might cause this?

delete __createfile
delete c:\scripts\12cExport.bat

createfile until __EOF
set ORACLE_SID=SID
set ORACLE_HOME=C:\oracle\product\12.1.0\dbhome_1
cd C:\oracle\product\12.1.0\dbhome_1\bin
start expdp DB/DBUSER schemas=schema directory=EXPDIR dumpfile=(IDSPRODP1_011923%U.DMP,IDSPRODP2_011923%U.DMP,IDSPRODP3_011923%U.DMP,IDSPRODP4_011923%U.dmp) logfile=IDSPROD_011923.log FILESIZE=2G PARALLEL=32
__EOF
move __createfile c:\scripts\12cExport.bat

ageorgiev 2023-02-16 13:27:01 UTC #14

Actually, I should have caught this last time as well, but just stopped looking as soon as I noticed the path… What are you trying to do with the relevance clause? As you have it it will produce some kind of path with two paths combined that won’t get you anywhere… It will evaluate to something like:

wait c:\windows\system32\cmd.exe /Q /C “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\CustomSite_TheSiteNamec:\scripts\12cExport.bat”

If you don’t need the relevance substitution, just remove it:
wait "{pathname of system folder & "\cmd.exe”}" /Q /C "c:\scripts\12cExport.bat"

ifreeman 2023-02-17 15:38:58 UTC #15

Thank you! That worked!

i have another question.

Is there anyway to use this override setting with just 4 dos commands rather than a wait to run a batch files?

for some reason, when we run this with a batch file, it skips two on the exports but when we just run the commands seperately, it exports all 4 exports.

from the documentation that i’ve seen online, it needs to be used with the wait command.

if not, i will try to break this into two batch files to see if it will export all four.

Thanks so much for all your help.

trn 2023-02-17 16:47:58 UTC #16

You can’t just put the commands into actionscript - you need to wait/run/waithidden/runhidden anythng that is external to actinscript, whether that is a batch file, powershell or a Windows executable.

Your set of wait <whatever.exe> would each need the overrides to be declared immediately before

ifreeman 2023-02-17 19:30:15 UTC #17

Thanks for the confirmation