What are the user permissions required for batch file to launch executable in Server 2008 R2?
Folks,
This is more sanity checking than anything.
The challenge is simple. I want a batch file to FTP files from a server to an FTP site.
This is proving difficult to achieve.
I have a batch file that launches and executable (WINSCP.com) WINSCP does the uploading.
Running this as Administrator either via the console by double-clicking the BAT file or running from the Command line is no problem. It all works.
I fail when I try to use a minimum privilege user account.
The account has "Log on as Batch" via Secpol and is granted full rights to all the directories and executables involved in the script.
However my suspicion is that when WINSCP.com is launched the user execution context is lost and WINSCP.com doesn't know what user it's supposed to be executing as OR some other factor I'm failing to grasp.
To test this I created a very simple BAT file containing only the following line dir c:\Temp\*.* >c:\temp\testlog.txt
I then execute the BAT file in the following way from the CMD to test
C:\Users\Administrator>runas /profile /user:DOMAIN\LeastPrivAppAccount ""C:\Demo\Simple.bat" >C:\Temp\log.txt"
The Batch file executes cleanly and does the DIR dump. So the ability for the account to launch an BAT file is proven.
When I put WINSCP.com in the batch file WINSCP.com is launched but fails with write errors to log files and actually doesn't start the upload.
However if I change the execution account to Administrator WINSCP runs and performs the FTP task as required.
This is the captured log from the CMD window as WINSCP doesn't even get a chance to run
C:\Windows\system32>"C:\Program Files (x86)\WinSCP\WinSCP.com" /log=WinSCP.log /ini=nul /command "open ftp://<FTP_ADDRESS_OBSCURED>/" "option confirm off" "put ""C:\FILE\ACCESS.ACCDB"" /TestOutput/" "put ""C:\FILE\EXCEL.xlsx"" /TestOutput/" "exit"
Error occurred during logging. It's been turned off.
Can't open log file 'WinSCP.log'.
System Error. Code: 5.
Access is denied
Connecting to <FTP_ADDRESS_OBSCURED> ...
Connected
Starting the session...
Session started.
Active session: [1] <FTP_ADDRESS_OBSCURED>
Does anyone have any clues about what is going wrong here?
This is more sanity checking than anything.
The challenge is simple. I want a batch file to FTP files from a server to an FTP site.
This is proving difficult to achieve.
I have a batch file that launches and executable (WINSCP.com) WINSCP does the uploading.
Running this as Administrator either via the console by double-clicking the BAT file or running from the Command line is no problem. It all works.
I fail when I try to use a minimum privilege user account.
The account has "Log on as Batch" via Secpol and is granted full rights to all the directories and executables involved in the script.
However my suspicion is that when WINSCP.com is launched the user execution context is lost and WINSCP.com doesn't know what user it's supposed to be executing as OR some other factor I'm failing to grasp.
To test this I created a very simple BAT file containing only the following line dir c:\Temp\*.* >c:\temp\testlog.txt
I then execute the BAT file in the following way from the CMD to test
C:\Users\Administrator>runas /profile /user:DOMAIN\LeastPrivAppAccount ""C:\Demo\Simple.bat" >C:\Temp\log.txt"
The Batch file executes cleanly and does the DIR dump. So the ability for the account to launch an BAT file is proven.
When I put WINSCP.com in the batch file WINSCP.com is launched but fails with write errors to log files and actually doesn't start the upload.
However if I change the execution account to Administrator WINSCP runs and performs the FTP task as required.
This is the captured log from the CMD window as WINSCP doesn't even get a chance to run
C:\Windows\system32>"C:\Program Files (x86)\WinSCP\WinSCP.com" /log=WinSCP.log /ini=nul /command "open ftp://<FTP_ADDRESS_OBSCURED>/" "option confirm off" "put ""C:\FILE\ACCESS.ACCDB"" /TestOutput/" "put ""C:\FILE\EXCEL.xlsx"" /TestOutput/" "exit"
Error occurred during logging. It's been turned off.
Can't open log file 'WinSCP.log'.
System Error. Code: 5.
Access is denied
Connecting to <FTP_ADDRESS_OBSCURED> ...
Connected
Starting the session...
Session started.
Active session: [1] <FTP_ADDRESS_OBSCURED>
Does anyone have any clues about what is going wrong here?
