PSExec/BatchPatch "Access Denied"

[Ken Dibble]

I know this is on-topic for PatchManagement but I figure that my
questions are so basic that this might be the better group for them.

I've just started testing BatchPatch in earnest (I bought licenses
and I will be rolling this out here but I'm still getting a feeling
for its real-life capabilities).

The product seems to be essentially a GUI for PSExec. It can do a
huge number of things via that mechanism--in theory.

In practice there seem to be a large number of potential roadblocks
that prevent things from working properly.

The issue I'm having right now is "access denied" when using it to
run its built-in script for installing Windows patches. (Yes, I've
looked at the BatchPatch help forums, which don't specifically
address my situation.)

The minimum requirement is to run BatchPatch under an account that
has local admin privileges on the target machines. I'm using the
built-in local admin account. The options include logging into my
workstation with that account and running BatchPatch as-is; logging
into my workstation with my standard domain user account and running
BatchPatch via "Run as Administrator"; or logging into my workstation
with my standard domain user account, running BatchPatch as is, and
then applying "alternate credentials" within BatchPatch to the
command I want it to execute.

I've been using the first option: logging into workstation as domain
user, running BatchPatch with "Run as Admin".

I ran a patch installation script against 9 target machines under
those conditions. Four of them reported success. The others all said
they couldn't establish the local working directory because "access denied".

So I shut down BatchPatch, then ran it as "other user" with my DA
creds. When I ran the script against the machines that had failed due
to access denied, they all returned "success".

All of these machines are Windows 10 Pro 64-bit, they all have the
same firewall settings, and they are all on the domain and were known
to be online at the time of the test.

Digging into the settings for BatchPatch, it appears that it actually
uses the System account to carry out its tasks once it's on the local machine.

There are recommendations for establishing a specific registry DWORD
on the target machines, and I haven't done that. These
recommendations seem to be standard for people having PSExec issues,
not just BatchPatch. But BatchPatch claims I "must" do this, yet the
command works on several machines without it, so I doubt I actually
"must". These machines just aren't that different from each other for
that to be the explanation.

So I have lots to learn here, but my first question is:

What possible things can cause this PSExec script to fail on some
machines when run with local admin creds but succeed when run as DA?

Thanks.

Ken Dibble
www.stic-cil.org

[Wright, John M]

This article mentions that there could be issues depending on disparity of Windows versions between the target machine and the machine running batchpatch: https://batchpatch.com/troubleshooting-common-errors-in-batchpatch

Is there a difference of version among the targeted PCs?

"Another rare case of ‘Access is denied’ can occur if your BatchPatch instance is running on a Windows version that is patched to a date *prior* to November 2021 but your target computers are patched to a date of June 2022 or newer. See here for more details on that issue."


-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
Sent: Tuesday, May 2, 2023 11:34 AM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] PSExec/BatchPatch "Access Denied"

This message is from an external sender.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/64512d86.050a0220.47003.13c0SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
[CAUTION] Do not click on links or open attachments unless you recognize the sender and know the content is safe.
If you believe this is a malicious email, please forward it the local IT team and click the Report Message button in Outlook.
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient's and may contain confidential and privileged information. Any unauthorized review; use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

[Micheal Espinola]

I ran a patch installation script against 9 target machines under
those conditions. Four of them reported success. The others all said
they couldn't establish the local working directory because "access denied".

Have you checked perms relating to the "working directory" ?

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/64512d86.050a0220.47003.13c0SMTPIN_ADDED_MISSING%40gmr-mx.google.com.

--

Espi

[Melvin Backus]

Just in case it's something more basic and not really related to BatchPatch, have you tried running psexec directly to connect to those machines?

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

¯\_(ツ)_/¯

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
Sent: Tuesday, May 2, 2023 11:34 AM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] PSExec/BatchPatch "Access Denied"

[Ken Dibble]

At 01:34 PM 5/2/2023, Michael Espinola wrote:

I ran a patch installation script against 9 target machines under

those conditions. Four of them reported success. The others all said

they couldn't establish the local working directory because "access denied".

Have you checked perms relating to the "working directory" ?

By default BatchPatch creates its own working directory: C:\Program Files\BatchPatch, and then adds a \Temp to that. All target machines have the OS installed to C: and therefore have C:\Program Files. (I think it may also remove that location after it completes its task(s), but I haven't verified that.) Both the default local admin account and the System account have full perms to that location, so this should not be an issue. It works on some machines and not on others, but the machines' configurations are the same.

Yes, it's counter-intuitive because theoretically Windows is not supposed to let software write to anything inside C:\Program Files, but obviously there are exceptions and this is one of them.

Ken Dibble
www.stic-cil.org

[Ken Dibble]

Unfortunately, not easy to check in my environment. (Idiotically,
there is no built-in way to get the Windows Build number in
ConnectWise Automate or Control, and I don't have the kind of access
to that system that I'd need to build a custom script.)

However, I was able to check one of the offending machines manually
and it is patched to March 2023 (as is the workstation I ran
BatchPatch on). I doubt there's going to be such a wide discrepancy
between CU dates on any of the machines here, so I don't think this
is the issue.

In any case, if a broad discrepancy between CU versions can cause
this, then why does it only happen when using a local admin account,
and not when using my DA account to run BatchPatch?

Thanks.

Ken Dibble
www.stic-cil.org

[Ken Dibble]

Apparently it is more basic.

I tried running an ipconfig command via psexec
against one of the offending machines.

I ran cmd as local admin and issued psexec \\MACHINE ipconfig.

I got "access denied"

I ran cmd as DA and tried it again, and it worked.

So what does that tell us?

The question is still, what is it about the DA
account that is different in this regard from the
local admin account, but only on some machines?

Thanks.

Ken Dibble
www.stic-cil.org

At 02:02 PM 5/2/2023, Melvin Backus wrote:
>Just in case it's something more basic and not
>really related to BatchPatch, have you tried
>running psexec directly to connect to those machines?
>
>--
>There are 10 kinds of people in the world...
> those who understand binary and those who don't.
>

>¯\_(ツ)_/¯

[paul.ra...@gmail.com]

Remote UAC enabled ?

https://www.brandonmartinez.com/2013/04/24/resolve-access-is-denied-using-psexec-with-a-local-admin-account/

the AdminArsenal link he credits with the solution has moved to

https://help.pdq.com/hc/en-us/articles/220533007-Can-t-access-ADMIN-share-using-a-local-user-or-LAPS-account

Paul.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/64527aec.050a0220.33aca.a405SMTPIN_ADDED_MISSING%40gmr-mx.google.com.

[Sharon Tirosh]

Run rsop.msc as the local admin and as the domain admin and compare.

Sharon

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble

Sent: Wednesday, May 3, 2023 11:17 AM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] PSExec/BatchPatch "Access Denied"

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/64527aec.050a0220.33aca.a405SMTPIN_ADDED_MISSING%40gmr-mx.google.com.

[Melvin Backus]

If you're running that as the local admin account on your workstation then that account has no rights on any other machine, unless you've specifically granted them.

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

¯\_(ツ)_/¯

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble

Sent: Wednesday, May 3, 2023 11:17 AM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] PSExec/BatchPatch "Access Denied"

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/64527aec.050a0220.33aca.a405SMTPIN_ADDED_MISSING%40gmr-mx.google.com.

[Ken Dibble]

Yes, it's related to this, I think.

Actually, what BatchPatch recommends is this:

"If the local account you are using to run BatchPatch is THE built-in administrator account on the target computers, the following registry DWORD must be set to 0 on the target computers. If the DWORD does not exist, then you must create it. When this DWORD is set to 0, the built-in administrator account is set to full-token mode, and BatchPatch will work properly. However, if it’s set to 1, the built-in administrator account is put in admin-approval mode, which will prevent most BatchPatch actions from completing successfully for those target computers:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\FilterAdministratorToken

All of my test-only workstations do NOT have that DWORD at all, and they all worked when running the command as local admin. So "If the DWORD does not exist, then you must create it" is not accurate. That's why I initially rejected this as a solution in my original post.

However, on the one production machine that failed with local admin that I'm currently able to test on, that DWORD DID exist and was set to 1. I set it to 0, rebooted, and was then able to run the psexec ipconfig command as local admin.

So the correct caveat seems to be, if the DWORD DOES exist, it must be set to 0 and not 1.

So why would this DWORD exist on some machines but not others? What purpose does it serve in other contexts? (I know, the context is trying to run remote commands as local admin, but under what circumstances would this DWORD be created and set to cause such attempts to fail, and only on some machines? Remember--this is a small shop; there are only two IT people here who would be capable of doing this, and we don't have any GPOs deliberately set up to govern this sort of thing.)

(As regards the linked Brandon Martinez article: He recommends a DWORD called LocalAccountTokenFilterPolicy. According to BatchPatch, that only applies if you are using a custom local admin account, not the built-in one, as I am doing.)

I suppose I now have a workable solution, though it's gonna be tedious resetting that DWORD on a bunch of machines where it exists.

Thanks everyone!

Ken Dibble
www.stic-cil.org

>¯\_(ツ)_/¯

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/024901d97dd3%244c5bb3f0%24e5131bd0%24%40gmail.com .

[Ken Dibble]

It does if it's a local admin account that exists
on all machines and has the same password on all
of them. If that were not the case, this would
have failed on 100% of machines, but that did not happen.

Such an arrangement is a requirement for using
BatchPatch if you don't want to run it as DA.

Ken Dibble
www.stic-cil.org

At 11:43 AM 5/3/2023, Melvin Backus wrote:
>If you're running that as the local admin
>account on your workstation then that account
>has no rights on any other machine, unless you've specifically granted them.
>
>--
>There are 10 kinds of people in the world...
> those who understand binary and those who don't.
>

> >¯\_(ツ)_/¯
> >

[Jim Kennedy]

That reg key change just turned off UAC for the built in administrator account. I would not do that.

 

Create a new standard user domain account, add it to the local admin group on all the machines via GPO. Make it an very strong password.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble

Sent: Wednesday, May 3, 2023 11:52 AM
To: ntsys...@googlegroups.com

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/6452830e.170a0220.b9e0.3f6dSMTPIN_ADDED_MISSING%40gmr-mx.google.com.

CAUTION: This email originated from outside of the organization. Do not click any links or open any attachments unless you trust the sender and know the content is safe.

[Jim Kennedy]

So after this project, I would suggest looking into LAPS so that you don't have the same local admin password on all your machines.

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
Sent: Wednesday, May 3, 2023 11:56 AM
To: ntsys...@googlegroups.com

Subject: RE: [External] [ntsysadmin] PSExec/BatchPatch "Access Denied"

It does if it's a local admin account that exists on all machines and has the same password on all of them. If that were not the case, this would have failed on 100% of machines, but that did not happen.

Such an arrangement is a requirement for using BatchPatch if you don't want to run it as DA.

Ken Dibble

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.stic-2Dcil.org&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=rJ0bECN-DLREGJliaxbIirMa-UuoXK1suNAdXyOdScU&m=Pi8CxHI7BKWx4RgAL12hmMuapXnp97acs4XdHwAErFo&s=LXoyveOlNggABsraFmGjJsnagBQQB_Hds9P424JpRYc&e=

>https://urldefense.proofpoint.com/v2/url?u=http-3A__www.stic-2Dcil.org&
>d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=rJ0bECN-DLREGJ
>liaxbIirMa-UuoXK1suNAdXyOdScU&m=Pi8CxHI7BKWx4RgAL12hmMuapXnp97acs4XdHwA
>ErFo&s=LXoyveOlNggABsraFmGjJsnagBQQB_Hds9P424JpRYc&e=

> >https://urldefense.proofpoint.com/v2/url?u=http-3A__www.stic-2Dcil.or
> >g&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=rJ0bECN-DL
> >REGJliaxbIirMa-UuoXK1suNAdXyOdScU&m=Pi8CxHI7BKWx4RgAL12hmMuapXnp97acs
> >4XdHwAErFo&s=LXoyveOlNggABsraFmGjJsnagBQQB_Hds9P424JpRYc&e=

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_d_msgid_ntsysadmin_64528408.170a0220.4ccd2.1415SMTPIN-5FADDED-5FMISSING-2540gmr-2Dmx.google.com&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=rJ0bECN-DLREGJliaxbIirMa-UuoXK1suNAdXyOdScU&m=Pi8CxHI7BKWx4RgAL12hmMuapXnp97acs4XdHwAErFo&s=1ZXHeYQwWkyDcyoBMUGz3C77C2bUFQMkqnoHbwRAGXM&e=.

[Ken Dibble]

"So after this project, I would suggest looking into LAPS so that you don't have the same local admin password on all your machines."

I knew that was going to be coming. :-)

Here's the thing on that: If I'm going to have permanent identical local admin accounts on all machines, why bother doing that? Truly, it's not that much of a stretch to go from getting the single PWD for the built-in local admin account to getting the name of the custom local admin account and then getting its single PWD. I'd be willing to bet some significant money that any criminal who is equipped to do the former will quite easily be able to do the latter.

I sincerely doubt LAPS would be worth the effort under these circumstances.

In any case, if I go the custom account route, then BatchPatch says I STILL have to have a DWORD that does the same thing for that account or it's not going to work. Right? It's probably also a requirement to use bare psexec with the same account, right? It's:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

And it must be set to 1.

According to MS, that disables UAC:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction

Ken Dibble
www.stic-cil.org

At 11:59 AM 5/3/2023, Jim Kennedy wrote:

So after this project, I would suggest looking into LAPS so that you don't have the same local admin password on all your machines.

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
Sent: Wednesday, May 3, 2023 11:56 AM
To: ntsys...@googlegroups.com
Subject: RE: [External] [ntsysadmin] PSExec/BatchPatch "Access Denied"

It does if it's a local admin account that exists on all machines and has the same password on all of them. If that were not the case, this would have failed on 100% of machines, but that did not happen.

Such an arrangement is a requirement for using BatchPatch if you don't want to run it as DA.

Ken Dibble
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.stic-2Dcil.org&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=rJ0bECN-DLREGJliaxbIirMa-UuoXK1suNAdXyOdScU&m=Pi8CxHI7BKWx4RgAL12hmMuapXnp97acs4XdHwAErFo&s=LXoyveOlNggABsraFmGjJsnagBQQB_Hds9P424JpRYc&e =

At 11:43 AM 5/3/2023,  Melvin Backus wrote:
>If you're running that as the local admin account on your workstation
>then that account has no rights on any other machine, unless you've
>specifically granted them.
>
>--
>There are 10 kinds of people in the world...
>   those who understand binary and those who don't.
>

> >¯\_(ツ)_/Ã_/¯

[Ken Dibble]

At 11:59 AM 5/3/2023, Jim Kennedy wrote:

That reg key change just turned off UAC for the built in administrator account. I would not do that.

Yes, but why does that DWORD need to exist at all, whether it's set to 0 or 1?

As I said, I can do this with local admin if the DWORD does NOT exist on the target machine.

I only need to set it to 0 if it exists to make this work.

Ken Dibble
www.stic-cil.org

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
Sent: Wednesday, May 3, 2023 11:52 AM
To: ntsys...@googlegroups.com
Subject: RE: [External] [ntsysadmin] PSExec/BatchPatch "Access Denied"

 

Yes, it's related to this, I think.

Actually, what BatchPatch recommends is this:

"If the local account you are using to run BatchPatch is THE built-in administrator account on the target computers, the following registry DWORD must be set to 0 on the target computers. If the DWORD does not exist, then you must create it. When this DWORD is set to 0, the built-in administrator account is set to full-token mode, and BatchPatch will work properly. However, if it’s set to 1, the built-in administrator account is put in admin-approval mode, which will prevent most BatchPatch actions from completing successfully for those target computers:

Remote UAC enabled ?

https://www.brandonmartinez.com/2013/04/24/resolve-access-is-denied-using-psexec-with-a-local-admin-account/

https://help.pdq.com/hc/en-us/articles/220533007-Can-t-access-ADMIN-share-using-a-local-user-or-LAPS-account

Paul.

-----Original Message-----

To: ntsys...@googlegroups.com

I got "access denied"

Thanks.

Ken Dibble

www.stic-cil.org

>machines?

>

>--

>

>¯\_(ツ)_/)_/¯

[Wright, John M]

It should be easy to deploy the registry change to all the workstations via GPO.  You can use these instructions to browse to the relevant key on a machine with the right setting to create the gpo:  Deploy A Registry Key Using Group Policy (kapilarya.com)

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502-708-9953

Please submit IT requests to Hazelwoo...@newvista.org

24 Hour Helpline 1.800.928.8000

 

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
Sent: Wednesday, May 3, 2023 12:18 PM
To: ntsys...@googlegroups.com
Subject: RE: [External] [ntsysadmin] PSExec/BatchPatch "Access Denied"

 

This message is from an external sender.

"So after this project, I would suggest looking into LAPS so that you don't have the same local admin password on all your machines."

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/64528932.050a0220.a8757.79cdSMTPIN_ADDED_MISSING%40gmr-mx.google.com.

[CAUTION] Do not click on links or open attachments unless you recognize the sender and know the content is safe.

[Kurt Buff]

+1000

It's going to be a bit of a weird transition to move from legacy LAPS
to Windows LAPS, but once it's in place it will be very, very sweet.

Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BL1PR11MB5509CC44D72401EE77E0258FF66C9%40BL1PR11MB5509.namprd11.prod.outlook.com.

[Ken Dibble]

At 12:24 PM 5/3/2023, Wright, John M wrote:

It should be easy to deploy the registry change to all the workstations via GPO.  You can use these instructions to browse to the relevant key on a machine with the right setting to create the gpo:  Deploy A Registry Key Using Group Policy (kapilarya.com)

Thank you!

Presumably that would be a one-size-fits all thing, whereby the DWORD gets created on machines where it doesn't exist. Since I don't need the DWORD to exist--I only need to set it to 0 if it does exist--that concerns me a little bit.

So before I do that I'd like to understand, if anybody can tell me, why that key already exists on some machines and not others--assuming they're all running a pretty recent CU of the same FU.

Thanks.

Ken Dibble
www.stic-cil.org
 

 

--

John Wright

-----Original Message-----

To: ntsys...@googlegroups.com

Ken Dibble

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.stic-2Dcil.org&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=rJ0bECN-DLREGJliaxbIirMa-UuoXK1suNAdXyOdScU&m=Pi8CxHI7BKWx4RgAL12hmMuapXnp97acs4XdHwAErFo&s=LXoyveOlNggABsraFmGjJsnagBQQB_Hds9P424JpRYc&e =

>specifically granted them.

>

>--

>

>¯\_(ツ)_/)_/¯

>

>-----Original Message-----

>From: ntsys...@googlegroups.com

>To: ntsys...@googlegroups.com

>

>

>offending machines.

>

>

>I got "access denied"

>

>

>

>machines?

>

>Thanks.

>

>Ken Dibble

> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.stic-2Dcil.org &

>d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=rJ0bECN-DLREGJ

>liaxbIirMa-UuoXK1suNAdXyOdScU&m=Pi8CxHI7BKWx4RgAL12hmMuapXnp97acs4XdHwA

>ErFo&s=LXoyveOlNggABsraFmGjJsnagBQQB_Hds9P424JpRYc&e=

>

> >those machines?

> >

> >--

> >

> >¯\_(ÃãÆ’„)_/Ã_/Ã/Ã_/¯

[Shawn K. Hall]

If you're using ConnectWise Control you can just add the registry key on
all of the target machines by selecting them then running the following
command on the Commands tab:

===
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system"
/v FilterAdministratorToken /t reg_dword /d 0 /f
===

The "/f" means "force", aka, skip the warning about editing the
registry. In other words, non-interactive.


If you'd rather investigate and see what the values for this key are
across your fleet just run:

===
reg query
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system" /v
FilterAdministratorToken
===

You will likely receive a lot of errors because the value hasn't been
assigned on most devices. That's okay. It just means that the behavior
is defaulting to the "0" and not the "1". It's the 1's you have to worry
about.

Why does it exist on some machines? You probably installed a security
app or hardening platform on these specific machines at some point that
is trying to ensure that it is more secure. Registry edits tend to stay
forever so even installing an app for 30 seconds to try it out will
leave some of the changes there when it's removed.

I just ran it against my fleet and only two machines had the "1"
assigned. Both had McAfee AV installed about a year ago.

-S

> -----Original Message-----
> From: ntsys...@googlegroups.com
> [mailto:ntsys...@googlegroups.com] On Behalf Of Ken Dibble
> Sent: Wednesday, May 3, 2023 08:52
> To: ntsys...@googlegroups.com
> Subject: RE: [ntsysadmin] PSExec/BatchPatch "Access Denied"
>

> <http://www.stic-cil.org/> At 11:24 AM 5/3/2023,

> paul.rathbone72 wrote:
>
>
> Remote UAC enabled ?
>
>
> https://www.brandonmartinez.com/2013/04/24/resolve-access-is-d
> enied-using-psexec-with-a-local-admin-account/

> <https://www.brandonmartinez.com/2013/04/24/resolve-access-is-
> denied-using-psexec-with-a-local-admin-account/>

>
> the AdminArsenal link he credits with the solution has moved to
>
>
> https://help.pdq.com/hc/en-us/articles/220533007-Can-t-access-
> ADMIN-share-using-a-local-user-or-LAPS-account

> <https://help.pdq.com/hc/en-us/articles/220533007-Can-t-access
> -ADMIN-share-using-a-local-user-or-LAPS-account>

>
> Paul.
>
>
> -----Original Message-----
> From: ntsys...@googlegroups.com
> <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
> Sent: Wednesday, May 3, 2023 4:17 PM
> To: ntsys...@googlegroups.com
> Subject: RE: [ntsysadmin] PSExec/BatchPatch "Access Denied"
>
> Apparently it is more basic.
>
> I tried running an ipconfig command via psexec against
> one of the offending machines.
>
> I ran cmd as local admin and issued psexec \\MACHINE ipconfig.
>
> I got "access denied"
>
> I ran cmd as DA and tried it again, and it worked.
>
> So what does that tell us?
>
> The question is still, what is it about the DA account
> that is different in this regard from the local admin
> account, but only on some machines?
>
> Thanks.
>
> Ken Dibble

> www.stic-cil.org <http://www.stic-cil.org/>

> > www.stic-cil.org <http://www.stic-cil.org/>

>
> --
> You received this message because you are subscribed to
> the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ntsysadmin/64527aec.050a0220
> .33aca.a405SMTPIN_ADDED_MISSING%40gmr-mx.google.com

> <https://groups.google.com/d/msgid/ntsysadmin/64527aec.050a022
> 0.33aca.a405SMTP...@gmr-mx.google.com> .

>
> --
> You received this message because you are subscribed to
> the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ntsysadmin/024901d97dd3%244c
> 5bb3f0%24e5131bd0%24%40gmail.com

> <https://groups.google.com/d/msgid/ntsysadmin/024901d97dd3$4c5
> bb3f0$e5131bd0$@gmail.com> .

>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/ntsysadmin/6452830e.170a0220
> .b9e0.3f6dSMTPIN_ADDED_MISSING%40gmr-mx.google.com
> <https://groups.google.com/d/msgid/ntsysadmin/6452830e.170a022
> 0.b9e0.3f6dSMTPIN_ADDED_MISSING%40gmr-mx.google.com?utm_medium
=email&utm_source=footer> .
>
>

[Ken Dibble]

Oooh. That's useful. Doesn't seem to be a way to
run it as a batch against all online machines at
once, though--or, at least, not and get results
for all of them. (There's probably a way to do it
but I don't have the correct perms for it. As a
customer of an MSP that hosts Control, I have limited access.)

Thank you very much!

Ken Dibble
www.stic-cil.org

> > properly. However, if it’s set to 1, the built-in

> > >¯\_(ツ)_/)_/¯

[Shawn K. Hall]

Unfortunately, no. You have three options:

1) Long and tedious: Scroll through and select each of them in turn

2) Fast, but requires shell access to the host: Open the database where the active content is stored (defaults to SQLite) and run the following on the "execute SQL" tab (note that we use CustomProperty8 to store the GUID of each session):

SELECT Session.Name,Session.CustomProperty8,SessionConnectionEvent.EventType AS t,SessionConnectionEvent.Data AS d
FROM Session
INNER JOIN SessionConnectionEvent ON Session.SessionID = SessionConnectionEvent.SessionID
WHERE (t='70' AND d LIKE '%FilterAdministratorToken%')
ORDER BY Session.Name ASC


3) Fast and uses your own database, but has to be setup in advance: Use the triggers feature to redirect output elsewhere where you store it in a database. We use a trigger to push everything to a MariaDB so we can perform global search across all machines. You can use pretty much the same SQL as above (if the fields are named the same) but since the GUID is included in the trigger you can record that to the same record in your private database so you could trim it down to this:

SELECT `GUID`,`MachineName`,`EventType`,`Data`
FROM `SessionConnectionEvent`
WHERE (`EventType`='RanCommand' AND `Data` LIKE '%FilterAdministratorToken%')
ORDER BY `MachineName` ASC

Once your database is pretty large you will want to add a date filter on there, too.
DATE(`Timestamp`)='2023-05-03'

The new database and trigger and processing gateway will all need to be created first, of course. I don't know if that is within the scope of this list.

> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/ntsysadmin/64529aec.050a0220
> .1c612.4a32SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
>

[Melvin Backus]

I can’t answer the why question, however if you set the registry key as a preference you can use targeting to  prevent it from being applied if the key does/doesn’t exist so it can selectively do your bidding.

 

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

 

¯\_(ツ)_/¯

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/6452957d.050a0220.fd127.4082SMTPIN_ADDED_MISSING%40gmr-mx.google.com.

[Ken Dibble]

I don't have access to the database at all.

This will likely be useful if I decide to request
that this be done for me by the MSP, as I have a
strong suspicion they wouldn't be able to figure it out for themselves. *sigh*

Thank you again!

Ken Dibble
www.stic-cil.org

> > > > properly. However, if it̢۪s set to 1, the builtilt-in

> > > > >¯\_(ÃÆãÆ’„)_/)_/Ã_/)_/¯

>https://groups.google.com/d/msgid/ntsysadmin/83E430D704B44998BD8286DCB536AA64%40Firefly.