Re: Running a script from an ASP page

No, the account does not have to be admin.

If ProcessIdentity = LocalSystem, it should work for any authenticated user
(admin or non-admin).

This is due to CMD.EXE lockdown on Windows Server 2003.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Hunter" <Hunter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B20343A1-278A-4C48-8511-2C2EB1F881F7@xxxxxxxxxxxxxxxx
>I know the site uses the token of the user (if using windows
>authentication)
> or of the account given to the anonymous user to access cmd.exe. But does
> that account have to be an admin account? I can make the script work if
> an
> admin account is used for the anonymous user, but it does not work if I
> use a
> non-admin account and give it permissions it to the cmd.exe file.
>
> "David Wang [Msft]" wrote:
>
>> This is because:
>> 1. the batch file requires CMD.EXE to execute, so ACLs on it must be
>> accessible to the NT User token using ASPEXEC (depends on authentication
>> protocol)
>> 2. CMD.EXE has some new security checks which renders the CreateProcess()
>> call used by ASPEXEC to fail. I've only found it to work when:
>> - ProcessIdentity = LocalSystem
>> - ProcessIdentity = ImpersonatedIdentity
>>
>> --
>> //David
>> IIS
>> http://blogs.msdn.com/David.Wang
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> //
>>
>> "Hunter" <Hunter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:4FE3B2D0-4537-458A-A24C-EA0AB28DCBFB@xxxxxxxxxxxxxxxx
>> >I have a batch file that moves files from one server to another, and I'm
>> > calling it from an ASP page using ASPEXEC. It works when the app pool
>> > identity and the user on the site (or the credentials used for
>> > anonymous
>> > access) are admins on all servers. However, when either the app pool
>> > identity or the site user are not admins, the script will not execute.
>> > And I
>> > can find no errors on any of the servers being accessed.
>> >
>> > I would like to know when the site and batch file use the credentials
>> > of
>> > the
>> > app pool and when they use the credentials of the site user (if using
>> > windows
>> > authentication) or the anonymous user. Any ideas? Thanks.
>>
>>
>>


.

Relevant Pages

  • Re: IIS Authentication Problems
    ... Sounds like this machine is now a domain controller, and IIS no longer has ... for the IUSR_nt-rh-adc-3 account ... : Authentication Package: NTLM ... local Admin details to no avail. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Remote Control through Vista Workstation
    ... I am not prompted whenever I initially start Remote Tools. ... I have the built-in administrator account, ... You are prompted for authentication when you try starting remote tools (not ... When you tried using local admin account on that pc, ...
    (microsoft.public.sms.admin)
  • RE: Remote Control through Vista Workstation
    ... You are prompted for authentication when you try starting remote tools (not ... account is SMS computer account. ... When you tried using local admin account on that pc, ...
    (microsoft.public.sms.admin)
  • Re: DST and update
    ... which is why I created a temporary new user called ExchangeDST to use ... with Exchange View Only Admin permissions and member of Local Admins on ... wife's account to have full access to all mailboxes. ... under the ExchangeDST account to create the batch file, ...
    (microsoft.public.exchange.admin)
  • Re: wierd batch file behavior
    ... I ran the batch file in a cmd window and watched it carefully. ... net localgroup Administrators /add Admin /domain ... backspace),and finally make that account an administrator. ...
    (microsoft.public.scripting.wsh)