What are the user permissions required for batch file to launch executable in Server 2008 R2?

Advertisement

andye
Joined:
Posts:
2

What are the user permissions required for batch file to launch executable in Server 2008 R2?

Folks,

This is more sanity checking than anything.

The challenge is simple. I want a batch file to FTP files from a server to an FTP site.

This is proving difficult to achieve.

I have a batch file that launches and executable (WINSCP.com) WINSCP does the uploading.

Running this as Administrator either via the console by double-clicking the BAT file or running from the Command line is no problem. It all works.

I fail when I try to use a minimum privilege user account.

The account has "Log on as Batch" via Secpol and is granted full rights to all the directories and executables involved in the script.

However my suspicion is that when WINSCP.com is launched the user execution context is lost and WINSCP.com doesn't know what user it's supposed to be executing as OR some other factor I'm failing to grasp.

To test this I created a very simple BAT file containing only the following line dir c:\Temp\*.* >c:\temp\testlog.txt

I then execute the BAT file in the following way from the CMD to test

C:\Users\Administrator>runas /profile /user:DOMAIN\LeastPrivAppAccount ""C:\Demo\Simple.bat" >C:\Temp\log.txt"

The Batch file executes cleanly and does the DIR dump. So the ability for the account to launch an BAT file is proven.

When I put WINSCP.com in the batch file WINSCP.com is launched but fails with write errors to log files and actually doesn't start the upload.

However if I change the execution account to Administrator WINSCP runs and performs the FTP task as required.

This is the captured log from the CMD window as WINSCP doesn't even get a chance to run

C:\Windows\system32>"C:\Program Files (x86)\WinSCP\WinSCP.com" /log=WinSCP.log /ini=nul /command "open ftp://<FTP_ADDRESS_OBSCURED>/" "option confirm off" "put ""C:\FILE\ACCESS.ACCDB"" /TestOutput/" "put ""C:\FILE\EXCEL.xlsx"" /TestOutput/" "exit"
Error occurred during logging. It's been turned off.
Can't open log file 'WinSCP.log'.

System Error. Code: 5.

Access is denied
Connecting to <FTP_ADDRESS_OBSCURED> ...
Connected
Starting the session...
Session started.
Active session: [1] <FTP_ADDRESS_OBSCURED>

Does anyone have any clues about what is going wrong here?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,441
Location:
Prague, Czechia

Re: What are the user permissions required for batch file to launch executable in Server 2008 R2?

With your command-line syntax, the log file is written to the current working directory, what is C:\Windows\system32.

The account most likely does not have a write access there. Use a full path to another directory with a write access.

/log=c:\writable\path\winscp.log

Reply with quote

andye
Joined:
Posts:
2

Re: What are the user permissions required for batch file to launch executable in Server 2008 R2?

Thanks so much Prikyl. It's been a few days trying to solve this issue with tonnes of work on the server side with user permissions etc.

I'm hoping none of that time is wasted.

BTW You should note I was using the "Generate session URL/code" feature in the Beta.

Below is an exact copy provided by the tool. Perhaps a modification to include /log=<writeable path>\WinSCP.log

@echo off

"C:\Program Files (x86)\WinSCP\WinSCP.com" /log=WinSCP.log /ini=nul /command ^
  "open ftp://<FTP_ADDRESS_OBSCURED>/" ^
  "Your command 1" ^
  "Your command 2" ^
  "exit"

set WINSCP_RESULT=%ERRORLEVEL%
if %WINSCP_RESULT% equ 0 (
  echo Success
) else (
  echo Error
)

exit /b %WINSCP_RESULT%

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,441
Location:
Prague, Czechia

Re: What are the user permissions required for batch file to launch executable in Server 2008 R2?

andye wrote:

Below is an exact copy provided by the tool. Perhaps a modification to include /log=<writeable path>\WinSCP.log
Thanks for your suggestion.

This has been added to the tracker:
https://winscp.net/tracker/1391

Reply with quote

Advertisement

You can post new topics in this forum