0

I am using TFS to kick off PSExec to run an InstallShield process that creates installers. Our TFS build agent runs under the NETWORK SERVICE account.

I run PSExec using the -u -p options, and I am able to run the command and successfully build the installers from a command prompt against the remote machine.

However in TFS, I always get a 2250 error code and the installers don't build.

To isolate the problem, I changed the psexec command to the following...

PsExec.exe -accepteula \\<machine> -u <username> -p <password> xcopy /y c:\temp\testing.bat c:\temp\1.bat

If I run the above from the command line it copies the file. If I run the above from TFS (calling out to the above in a batch file), it fails with 2250.

So to simulate what TFS is doing I...

  1. Started a command prompt with elevated Admin privileges
  2. Issued psexec -i -u "nt authority\network service" cmd.exe
  3. Ran the batch file containing the above xcopy command

So step 2 starts a command prompt using the NETWORK SERVICE account. When I run step 3 from this command prompt, I received the same 2250 error. So this is good b/c now TFS is out of the picture, and I am closer to the real issue.

Just for grins I added NETWORK SERVICE to the remote box's Administrators group. That did not solve the issue.

So here is where I am at...

  1. If I login to the TFS box using a login in the Administrator group, open a command prompt, and run the xcopy command batch file with the -u -p parameters, everything works fine.
  2. If I start a cmd prompt with the NETWORK SERVICE account and run the same batch file as in step 1 I get a 2250 access denied.

So in my mind the issue is clearly related to the NETWORK SERVICE account. Question is how can I get psexec to run with this account?

UPDATE

Here are the dialogs that show the NETWORK_SERVICE account in the Administrators group for and that it has full access to the path (c:\temp).

NETWORK_SERVICE is in the Administrators group

enter image description here

John Livermore
  • 30,235
  • 44
  • 126
  • 216
  • Are you sure the NETWORK_SERVICE account has admin privleges on `` and that it can read and write to `c:\temp`? For your answer, it seems the problem is not `psexec` but the actual `xcopy` – Jcl Dec 01 '14 at 14:28
  • Yes, I am sure. I will update the question with images that show this... – John Livermore Dec 01 '14 at 19:22
  • Bit of a wild guess here, but did you try setting `LocalAccountTokenFilterPolicy` registry value to `1` at `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` so that you can remotely administer with a local account? – Jcl Dec 01 '14 at 19:50
  • 1
    Error 2250 is ERROR_NOT_CONNECTED, "This network connection does not exist". The kind of rock you have to look under is security software, firewall first. This question belongs at serverfault.com – Hans Passant Dec 04 '14 at 15:16
  • @Jcl Yes, I have that key set to 1. – John Livermore Dec 09 '14 at 04:39

1 Answers1

1

Let's say your two machines are called TFSSERVER and TARGETMACHINE.

The NetworkService on the TFS Server would be seen as the machine account, i.e. DOMAIN\TFSSERVER$, on the TARGETMACHINE. Any accounts in the NT AUTHORITY group are local accounts so it looks like you've just added TARGETMACHINE's network service as an admin, not the TFS machine's network service.

Try adding the TFS machine account to your permissions list and see if it works.

If that doesn't, look at this related question and see if anything there helps you at all: PSEXEC, access denied errors

Community
  • 1
  • 1
Richard Banks
  • 12,456
  • 3
  • 46
  • 62
  • Great suggestion. I was able to add the TFS Server machine account to TARGETMACHINE (Full Control), but still the same error. Is there a way to track on the TARGETMACHINE why access is being denied? – John Livermore Dec 08 '14 at 14:28