Can't run PSExec using NETWORK SERVICE account

John Livermore picture John Livermore · Nov 25, 2014 · Viewed 7k times · Source

I am using TFS to kick off PSExec to run an InstallShield process that creates installers. Our TFS build agent runs under the NETWORK SERVICE account.

I run PSExec using the -u -p options, and I am able to run the command and successfully build the installers from a command prompt against the remote machine.

However in TFS, I always get a 2250 error code and the installers don't build.

To isolate the problem, I changed the psexec command to the following...

PsExec.exe -accepteula \\<machine> -u <username> -p <password> xcopy /y c:\temp\testing.bat c:\temp\1.bat

If I run the above from the command line it copies the file. If I run the above from TFS (calling out to the above in a batch file), it fails with 2250.

So to simulate what TFS is doing I...

  1. Started a command prompt with elevated Admin privileges
  2. Issued psexec -i -u "nt authority\network service" cmd.exe
  3. Ran the batch file containing the above xcopy command

So step 2 starts a command prompt using the NETWORK SERVICE account. When I run step 3 from this command prompt, I received the same 2250 error. So this is good b/c now TFS is out of the picture, and I am closer to the real issue.

Just for grins I added NETWORK SERVICE to the remote box's Administrators group. That did not solve the issue.

So here is where I am at...

  1. If I login to the TFS box using a login in the Administrator group, open a command prompt, and run the xcopy command batch file with the -u -p parameters, everything works fine.
  2. If I start a cmd prompt with the NETWORK SERVICE account and run the same batch file as in step 1 I get a 2250 access denied.

So in my mind the issue is clearly related to the NETWORK SERVICE account. Question is how can I get psexec to run with this account?

UPDATE

Here are the dialogs that show the NETWORK_SERVICE account in the Administrators group for and that it has full access to the path (c:\temp).

NETWORK_SERVICE is in the Administrators group

enter image description here

Answer

Richard Banks picture Richard Banks · Dec 2, 2014

Let's say your two machines are called TFSSERVER and TARGETMACHINE.

The NetworkService on the TFS Server would be seen as the machine account, i.e. DOMAIN\TFSSERVER$, on the TARGETMACHINE. Any accounts in the NT AUTHORITY group are local accounts so it looks like you've just added TARGETMACHINE's network service as an admin, not the TFS machine's network service.

Try adding the TFS machine account to your permissions list and see if it works.

If that doesn't, look at this related question and see if anything there helps you at all: PSEXEC, access denied errors