View previous topic :: View next topic |
Author |
Message |
James65
Joined: 26 Feb 2024 Posts: 8
|
Posted: Mon Feb 26, 2024 9:33 am Post subject: RCC action "A required privilege is not held by the cli |
|
|
Good day,
We have downloaded latest version 14.28 for evaluation. Everything runs fine, except action "Execute external program" when running host monitor as a service and connecting using RCC. In HM system log we can see following error:
"A required privilege is not held by the client"
We setup as follows:
- Hostmon is started as service using local system
- In hostmon "Options / Startup / Service" we set a local admin account
- When we start the service we can see that account is used for login in application eventlog
- We added the service account in "Replace process level token"
- We set "Change User Account Control settings" to Never notify
- In the action for "Execute External program" we have enabled "run in active console session (if HM started as service)
We tested on Windows 10 and Windows Server 2022. Are there anymore requirements with latest Windows Updates?
Thanks for any suggestions.
Best regards
Michael |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Mon Feb 26, 2024 1:17 pm Post subject: |
|
|
Works fine on our Windows 2022 systems.
Could you try to set local admin account for HostMonitor service using Windows Services applet?
Its not related to RCC in any way. Tests and actions performed by HostMonitor, RCC just provides remote interface.
Regards
Alex |
|
Back to top |
|
|
James65
Joined: 26 Feb 2024 Posts: 8
|
Posted: Tue Feb 27, 2024 4:02 am Post subject: |
|
|
Hi Alex,
Thank you. We have created a new local user hostmon. This user is added to the local administrator group and set in Windows Services applet as well as in HM Options service account. Now we get a different error. On executing any external program the HM system log shows "Cannot execute command: Access is denied". The external command we use is just a simple msg command and it works fine when using HM without started as service. So it looks like something more is missing. Do you have any further suggestions to check?
Thanks.
Best regards
Michael |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Tue Feb 27, 2024 8:27 am Post subject: |
|
|
I think simple msg command is not that simple.
E.g. sometimes it would not start if you use path like C:\WINDOWS\System32\msg.exe while just "msg.exe" will launch program (problem relates to C:\Windows\Sysnative\ folder).
Also it uses remote RPC calls and I think gets data from AD..
If you really need msg.exe, try to modify registry:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
Name : AllowRemoteRPC
Type : REG_DWORD
Value : 1
If you are using msg.exe just for testing, I would suggest to use some other command
Regards
Alex |
|
Back to top |
|
|
James65
Joined: 26 Feb 2024 Posts: 8
|
Posted: Tue Feb 27, 2024 9:24 am Post subject: |
|
|
Thanks again. AllowRemoteRPC was already set. It doesn't matter what command we are using, e.g. c:\batch\test.cmd, iisreset, dir >1.txt, etc... Everything returns access denied. "Execute by" is always set to "Hostmonitor".
We have also tried using a domain admin account with same result.
Do you have another example how to launch an external program? |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Tue Feb 27, 2024 10:09 am Post subject: |
|
|
It should work out of the box on "stock" Windows (with "Replace process level token"), works on all our systems. I assume some local policy leads to the problem.
We will try to find some information
Regards
Alex |
|
Back to top |
|
|
James65
Joined: 26 Feb 2024 Posts: 8
|
Posted: Tue Feb 27, 2024 10:51 am Post subject: |
|
|
Thanks Alex. I also think so. Just notice 2 things:
- when using the built-in administrator account we get again "A required privilege is not held by the client" even the account is added in ""Replace process level token"
- when we disable "User Account Control: Run all administrators in Admin Approval Mode" and reboot we get again "A required privilege is not held by the client" for both local admin accounts.
I will also try to check with a new OS installation and no domain join. |
|
Back to top |
|
|
James65
Joined: 26 Feb 2024 Posts: 8
|
Posted: Wed Feb 28, 2024 5:16 am Post subject: |
|
|
Hi Alex,
I created a new Windows Server 2022, only installed HM and run into the same issue. The solution as to DISABLE "run in active console session (if HM started as service)" in action. Now it works.
Thanks again for your assistance.
Best regards
Michael |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Wed Feb 28, 2024 11:29 am Post subject: |
|
|
Oh, my mistake
You said you are using this option in your 1st post and I missed this.
Yes, by default and normally it should be disabled. When it is enabled HostMonitor tries to start program using current user credentials. And this requires some extra permissions when system belongs to domain..
Regards
Alex |
|
Back to top |
|
|
|