PsExec & Windows Server 2008: Privileges & authentication issues

Question

Hey guys,

I'm writing an application that helps me auto-deploy my applications to my Windows Server 2008 machines. As apart of this process, I need remotely start and stop IIS websites on my 2008 servers from my test machine.

From the scope of my 2008 machine, I'm using:

C:\Windows\System32\inetsrv\appcmd.exe stop site "MyWebsite"

This command does NOT work if I simply run it from the command prompt. The error returned is:

ERROR ( message:The W3SVC service is not available - try starting the service first. )

However this DOES work if I use the command prompt via "Run as Administrator". That's fine & dandy, but I need to be able to run this from another machine. Using a domain account (that is considered an Administrator), my PsExec commaned becomes the following from the perspective of my test (non-2008) machine:

"C:\Program Files\PSTools\psexec.exe" \\my2008machine -u domainuser -p password C:\Windows\System32\inetsrv\appcmd.exe stop site "MyWebsite"

PsExec starts, runs, and exits providing the same error as seen above: just like as if I had run this command from the command prompt -without- "Run as Administrator" on my 2008 machine.

Windows Firewall is turned off, I've set a 'LocalAccountTokenFilterPolicy' as suggested elsewhere, and I'm out of ideas. Any idea how to fix this or work around it?

Answer 1

This issue has been resolved going between machines in the same domain using a domain administrator account (from 2003 R2 --> 2008 R2). This was accomplished by changing UAC settings under the Local Security Policy-->Local Policies-->Security Options. I believe it was a "Run all administrators in Admin Approval mode" setting, and required a reboot.

However, there is still an outstanding issue when crossing the domain boundary: using the same domain administrative user and targeting a 2008 R2 server, PsExec returns an "Access Denied" error.