- This topic has 6 replies, 2 voices, and was last updated 5 years, 11 months ago by doug.
January 15, 2013 at 8:37 am #8589veixParticipant
In older versions it was possible to execute \networksharesomebatfile.bat as “Remote script/process (psexec). Now “Error Code:1” is received. Commands in BAT file executed as separate custom PsExec command 1&2 works. Executing BAT file from PSExec works.
I am using BatchPatch version 2012.12.10 and psexec version 1.92. Website needs version info on downlads page too…
Great product.January 15, 2013 at 7:21 pm #9481dougModerator
Hi veix –
1. You’ll need to specify alternate credentials for this work. This is because when you connect to the target computer with integrated security, the target computer then tries to connect to a different network location but doesn’t have network access because it’s impersonating. So, if you specify alternate credentials, those credentials are first passed to the target system where they can be used natively without impersonating, and in that case they will have access to the network share.
To PsExec a .bat file from the command line you’d have to do the following:
psexec \targetServer -u domainusername -p password cmd.exe /C "\networksharesomebatfile.bat"
To do the equivalent in BatchPatch, enter the following into the “Remote script/process” window:
cmd.exe /C "\networksharesomebatfile.bat"
Alternatively you could actually use the “Patch Deployment” feature in BatchPatch to do this. Just specify the .bat file as your “Installer file” in the “Patch Deployment” window, and then BatchPatch will take care of the rest. In this case you would not have to use alternate credentials because BatchPatch will actually copy the .bat file directly to the target machine and execute it there. I hope this helps.
-DougJanuary 16, 2013 at 6:14 am #9483veixParticipant
Thank you for reply.
1. Isn’t alternate credentials a bad thing, since PSExec sends credentials over network as plain text?!
2. No. With psexec it works as
psexec -s \targetserver \networkssharesomebatfile.bat
My user just has to have administrative permissions on targetserver and read access to \networkshahe.
If I use Remote script/process then no output is read from nowhere and BAT is not executed.
And everything was working on older versions…
I would dig out some older version, but newer ones has this neat feature where you could browse computers from AD by specific OU.January 17, 2013 at 12:21 am #9486dougModerator
veix – I’m surprised that you’re able to get psexec to work in the way that you specified without having to use cmd.exe /C because I’m not able to get that to work. Additionally, I’m not able to get it to work even WITH the cmd.exe unless I specify the -u and -p switches to pass credentials to the other computer. This is expected behavior, due to how impersonation works. If I’m on computer A, and I want to run a .bat on computer B, but the .bat file is located on computer C, then this can only be done if I first pass credentials from computer A to computer B, where computer B then uses those credentials to access the .bat file on computer C. If I don’t pass credentials and instead rely on integrated security, computer A can access computer B, but on computer B there is no network access to connect to computer C. This is simply a fact of how impersonation works.
All that said, the BatchPatch code has not changed for the “remote script process” functionality, so I’m unsure how you would have had anything different work in an older version of BatchPatch.
Regarding your 2 questions…
1. Yes, alternate credentials are not ideal because they are passed in clear text to the remote computer. However, in a modern switched network environment, this is generally not necessarily all that big of a deal because the network traffic and clear text password will not be exposed to other computers on the network. Regardless of whether or not it’s ideal, it’s the only way to accomplish exactly what you’re describing, as far as I’m aware.
HOWEVER, as I suggested in the previous posting, you can use BatchPatch’s “Patch Deployment” feature, which will do exactly what you want and will NOT require alternate credentials. BatchPatch will reach out to the network share and get the .bat file, and then BatchPatch will copy that .bat file to the target computer and execute it. This scenario does NOT require alternate credentials because there is only a single hop (no double hop as in the first example).
I hope this helps.
-DougJanuary 17, 2013 at 6:28 am #9489veixParticipant
Thank you for long explanation, and it did help (if you said you have not changed the code).
We must be having very different network environments (different share permissions, user permissions, windows policys), since to me psexec has always worked like that.
Patch deployment does not work and does not show any error message.
BUT I must have forgot that on previous version on “Remote script/process” I also used not only “bath_to_bat” but also key “-s”. Today I also use key “-s” and it still works with BatchPatch also.
Keep up the good work, Doug!January 17, 2013 at 4:11 pm #9491dougModerator
Interesting. I’m glad you got it working!
-DougJuly 17, 2014 at 7:48 pm #11539dougModerator
Note – PsExec v2.1+ now uses an encrypted channel for communication between the source and destination computers. Passwords are NO LONGER sent in clear text, which is very cool. This means that using alternate credentials in BatchPatch is no less secure than using integrated security.
- You must be logged in to reply to this topic.