Click here to get back home

Administrators account fails on "copy" using C$ share
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Administrators account fails on "copy" using C$ share John Grandy 07-11-2005
Posted by John Grandy on July 11, 2005, 7:17 pm
Please log in for more thread options
 I am using Windows XP Pro SP2 machine (not a domain member) to Remote
Desktop (RD) into a Windows 2003 Server Enterprise Edition ("Server1") that
belongs to a domain.

The RD session is established under a domain account that I have added to
the local Administrators group of the server I am RD'ing into.

Within the RD session, I am running a .BAT file located on Server1 that uses
the copy command as follows:

copy /y \Server2\c$\Folder1\SubFolder1\*.* c:\FolderX


This copy file command fails with an "Access Denied" error.

Why would my RD login account not have access to the administrative C$ share
?

I can make "\Machine1\c$\Folder1\" into a shared network drive (and alter
my .BAT file accordingly) but I want to avoid the use of shared network
drives in automated scheduled processes.








Posted by Steven L Umbach on July 12, 2005, 1:10 am
Please log in for more thread options
 Check to see if it happens if the remote user logs into a local account that
is in the administrators group and verify that administrators have full
control to the source and destination folder. --- Steve


"John Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
>I am using Windows XP Pro SP2 machine (not a domain member) to Remote
>Desktop (RD) into a Windows 2003 Server Enterprise Edition ("Server1") that
>belongs to a domain.
>
> The RD session is established under a domain account that I have added to
> the local Administrators group of the server I am RD'ing into.
>
> Within the RD session, I am running a .BAT file located on Server1 that
> uses the copy command as follows:
>
> copy /y \Server2\c$\Folder1\SubFolder1\*.* c:\FolderX
>
>
> This copy file command fails with an "Access Denied" error.
>
> Why would my RD login account not have access to the administrative C$
> share ?
>
> I can make "\Machine1\c$\Folder1\" into a shared network drive (and alter
> my .BAT file accordingly) but I want to avoid the use of shared network
> drives in automated scheduled processes.
>
>
>
>
>
>




Posted by John Grandy on July 12, 2005, 9:25 am
Please log in for more thread options
Hi Steve, and thanks for the response.

Yes ... this is the second part of the puzzle. If I RD into Server1 using
the Server1's local Administrator account, then the file-copy from Server2
to Server1 works fine.

However, I am then unable to use InstallUtil.exe to de-install a .NET-coded
Windows Service that makes use of MSMQ. "InstallUtil.exe /u <service-name>"
fails because it can not delete the message queues.

Currently, I am logging into Server1 under the domain account under which
the .NET-coded Windows Service runs -- this was necessitated by the
"InstallUtil.exe /u" problem.



> Check to see if it happens if the remote user logs into a local account
> that is in the administrators group and verify that administrators have
> full control to the source and destination folder. --- Steve
>
>
> "John Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
>>I am using Windows XP Pro SP2 machine (not a domain member) to Remote
>>Desktop (RD) into a Windows 2003 Server Enterprise Edition ("Server1")
>>that belongs to a domain.
>>
>> The RD session is established under a domain account that I have added to
>> the local Administrators group of the server I am RD'ing into.
>>
>> Within the RD session, I am running a .BAT file located on Server1 that
>> uses the copy command as follows:
>>
>> copy /y \Server2\c$\Folder1\SubFolder1\*.* c:\FolderX
>>
>>
>> This copy file command fails with an "Access Denied" error.
>>
>> Why would my RD login account not have access to the administrative C$
>> share ?
>>
>> I can make "\Machine1\c$\Folder1\" into a shared network drive (and
>> alter my .BAT file accordingly) but I want to avoid the use of shared
>> network drives in automated scheduled processes.
>>
>>
>>
>>
>>
>>
>
>




Posted by Steven L Umbach on July 12, 2005, 12:21 pm
Please log in for more thread options
Hmm. A couple of other things to try. Run the support tool netdiag on the
computer to make sure there are no problems with dns, dc discovery, secure
channel/trust, etc. that may cause a problem using a domain account. The
other thing I would try is to enable auditing of privilege use for failure
on the server via Local Security Policy [secpol.msc] to see if that shows
anything pertinent in the security log. SysInternals makes a neat free
utility called filemon that may also be helpful by looking in the log of
filemon for "access denied" entries and the associated file. It is possible
that somewhere there are rights/permissions for administrator but not
administrators. --- Steve

http://www.sysinternals.com/

"John Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
> Hi Steve, and thanks for the response.
>
> Yes ... this is the second part of the puzzle. If I RD into Server1 using
> the Server1's local Administrator account, then the file-copy from
> Server2 to Server1 works fine.
>
> However, I am then unable to use InstallUtil.exe to de-install a
> .NET-coded Windows Service that makes use of MSMQ. "InstallUtil.exe /u
> <service-name>" fails because it can not delete the message queues.
>
> Currently, I am logging into Server1 under the domain account under which
> the .NET-coded Windows Service runs -- this was necessitated by the
> "InstallUtil.exe /u" problem.
>
>
>
>> Check to see if it happens if the remote user logs into a local account
>> that is in the administrators group and verify that administrators have
>> full control to the source and destination folder. --- Steve
>>
>>
>> "John Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
>>>I am using Windows XP Pro SP2 machine (not a domain member) to Remote
>>>Desktop (RD) into a Windows 2003 Server Enterprise Edition ("Server1")
>>>that belongs to a domain.
>>>
>>> The RD session is established under a domain account that I have added
>>> to the local Administrators group of the server I am RD'ing into.
>>>
>>> Within the RD session, I am running a .BAT file located on Server1 that
>>> uses the copy command as follows:
>>>
>>> copy /y \Server2\c$\Folder1\SubFolder1\*.* c:\FolderX
>>>
>>>
>>> This copy file command fails with an "Access Denied" error.
>>>
>>> Why would my RD login account not have access to the administrative C$
>>> share ?
>>>
>>> I can make "\Machine1\c$\Folder1\" into a shared network drive (and
>>> alter my .BAT file accordingly) but I want to avoid the use of shared
>>> network drives in automated scheduled processes.
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>




Posted by John Grandy on July 12, 2005, 6:42 pm
Please log in for more thread options
Here is the output from netdiag run on the machine ("Server1" = I am running
the .bat file on (I had to change the IPs and machine names for reasons of
confidentiality ) :


.......................................

Computer Name: SERVER1
DNS Host Name: SERVER1.DOMAIN1.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB819696
KB823182
KB823353
KB823559
KB824105
KB824151
KB825119
KB828035
KB828741
KB833987
KB835732
KB837001
KB839643
KB839645
KB840315
KB840374
KB840987
KB841356
KB841533
KB842773
KB867282
KB867460
KB867482
KB871250
KB873333
KB873376
KB885250
KB885834
KB885835
KB885836
KB886903
KB888113
KB890047
KB890175
KB890859
KB890923
KB891711
KB891781
KB893066
KB893086
KB893803
KB893803v2
MSIT Smart Card Providers
Q147222
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : DTAP

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : SERVER1
IP Address . . . . . . . . : mmm.nnn.148.8
Subnet Mask. . . . . . . . : 255.255.255.224
Default Gateway. . . . . . : mmm.nnn.148.1
Dns Servers. . . . . . . . : mmm.nnn.1.7
mmm.nnn.1.240


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger Service', <20> 'WINS' names is missing.
No remote names have been found.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Adapter : DOMAIN1 (Private Network)

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : SERVER1
IP Address . . . . . . . . : 20.1.1.7
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 20.1.1.1


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_
NetBT_Tcpip_
2 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative DNS server for the
name
'SERVER1.DOMAIN1.local.'. [RCODE_SERVER_FAILURE]
The name 'SERVER1.DOMAIN1.local.' may not be registered in DNS.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_
NetBT_Tcpip_
The redir is bound to 2 NetBt transports.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_
NetBT_Tcpip_
The browser is bound to 2 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
Secure channel for domain 'DOMAIN1' is to
'\DOMAINCONTROLLER1.DOMAIN1.local'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully





> Hmm. A couple of other things to try. Run the support tool netdiag on the
> computer to make sure there are no problems with dns, dc discovery, secure
> channel/trust, etc. that may cause a problem using a domain account. The
> other thing I would try is to enable auditing of privilege use for failure
> on the server via Local Security Policy [secpol.msc] to see if that shows
> anything pertinent in the security log. SysInternals makes a neat free
> utility called filemon that may also be helpful by looking in the log of
> filemon for "access denied" entries and the associated file. It is
> possible that somewhere there are rights/permissions for administrator but
> not administrators. --- Steve
>
> http://www.sysinternals.com/
>
> "John Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
>> Hi Steve, and thanks for the response.
>>
>> Yes ... this is the second part of the puzzle. If I RD into Server1
>> using the Server1's local Administrator account, then the file-copy from
>> Server2 to Server1 works fine.
>>
>> However, I am then unable to use InstallUtil.exe to de-install a
>> .NET-coded Windows Service that makes use of MSMQ. "InstallUtil.exe /u
>> <service-name>" fails because it can not delete the message queues.
>>
>> Currently, I am logging into Server1 under the domain account under which
>> the .NET-coded Windows Service runs -- this was necessitated by the
>> "InstallUtil.exe /u" problem.
>>
>>
>>
>>> Check to see if it happens if the remote user logs into a local account
>>> that is in the administrators group and verify that administrators have
>>> full control to the source and destination folder. --- Steve
>>>
>>>
>>> "John Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
>>>>I am using Windows XP Pro SP2 machine (not a domain member) to Remote
>>>>Desktop (RD) into a Windows 2003 Server Enterprise Edition ("Server1")
>>>>that belongs to a domain.
>>>>
>>>> The RD session is established under a domain account that I have added
>>>> to the local Administrators group of the server I am RD'ing into.
>>>>
>>>> Within the RD session, I am running a .BAT file located on Server1 that
>>>> uses the copy command as follows:
>>>>
>>>> copy /y \Server2\c$\Folder1\SubFolder1\*.* c:\FolderX
>>>>
>>>>
>>>> This copy file command fails with an "Access Denied" error.
>>>>
>>>> Why would my RD login account not have access to the administrative C$
>>>> share ?
>>>>
>>>> I can make "\Machine1\c$\Folder1\" into a shared network drive (and
>>>> alter my .BAT file accordingly) but I want to avoid the use of shared
>>>> network drives in automated scheduled processes.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>




Similar ThreadsPosted
save files from MAC to a windows share fails April 11, 2008, 3:46 pm
Share file, but dont allow copy May 15, 2006, 1:05 pm
How protect Administrators account and passwords June 7, 2007, 9:31 am
Re-Enabling Local Administrators Account July 3, 2008, 2:37 am
Is local system account member of local Administrators group? June 21, 2005, 11:33 am
Windows Explorer changes user account during connection to share folder February 15, 2006, 5:49 am
Copy all ACLs from one folder to copy February 21, 2008, 2:46 am
Autoenrollment Fails September 16, 2007, 3:48 pm
LsaRetrievePrivateData fails with STATUS_UNKNOWN_REVISION August 16, 2006, 12:14 am
telnet to port 443 fails March 1, 2007, 11:51 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap