Batch File - "Access Denied" On Windows 7?

[ElectroGoofy]

Hello, all.

I am working on a batch file that will copy down required updates to some software in "Program Files." (Using the XCOPY command).

This works fine as long as it is on XP and the user is at least a Power User (ability to modify "Program Files"). I understand about the Power User requirement, so about XP is not the problem.

With Windows 7, however, when we try running the batch file, it gives us an "Access Denied" error. Even if the user is a domain admin it gives the same message. The only way to get around this is to right click on it and make it "Run as Administrator".

Any ideas on how to make it run for a Power User? I don't believe that it would allow a Power User to run it under Run as Administrator, so am wondering if there is a way to make it do something like "Run as Power User."

Any help would be greatly appreciated!

 

[hang-the-9]

Being a domain admin has no bearing on the local rights the computer gives you.

Unless you want to code user name and passwords in the batch file (not a good idea), you can just make all the user groups you work with power users on the computers. You can't just do a Run As power user, that is a GROUP, not a USER. You can make a local account and add that account to the Power User group, then do a Run As as that account, but then you run into the case where you have to code the username and password in the batch file.

Since you seem to be working in a business environment with a domain, my suggestion would be to configure your computers to add your user groups to the Power Users local grou on the PCs. It will give enough rights to the users to work with applications, yet not quite enough rights to really mess thigs up. If you need help with this, contact the sys admin at your job, he/she will know what I'm talking about.

 

[ElectroGoofy]

Being a domain admin has no bearing on the local rights the computer gives you.

Well, actually, for us it does. I don't know all the details of that area (managed by someone else, I haven't learned that part of it yet), but whenever one of us logs onto any computer it gives us full admin rights.

Since you seem to be working in a business environment with a domain, my suggestion would be to configure your computers to add your user groups to the Power Users local grou on the PCs. It will give enough rights to the users to work with applications, yet not quite enough rights to really mess thigs up. If you need help with this, contact the sys admin at your job, he/she will know what I'm talking about.

Yea, I get what you are talking about... The thing is, is that even if we are logged onto a computer with a domain admin account (or even a local admim account), it will give us an "Access is Denied" error when running the batch file. From what it's doing it sounds like the batch file is not being given the rights that the user running it has. The only way to get it to run is by right-clicking on it and saying "Run as administrator."

The problem with this is that when we are logged into a power user account and we try "Run as administrator," it will bring up a UAC window asking for an admin to enter their credentials.

Is there a way to run a program with something like "Run as power user?"

If the above is not possible, maybe integrating a power user's credentials into the batch script? I have been looking for a way to do this, but have been unable to find a command for this.

 

[sminlal]

The "Access Denied" message is pretty general and can happen for a lot of different reasons. In my experience the problem is often because a particular file you're trying to overwrite is open by some program - in that case NOTHING can replace it no matter WHAT privileges it has. Even installation programs can't replace it - they get around the problem by putting the file on a "replace at boot time" list in the registry and then ask for a system reboot.

I'd recommend using a utility to report open files to see if what you're trying to access is open. For example: http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx

 

[grypht]

By default, when a computer is added to a domain the Domain admins group is added to the local administrators group:
http://technet.microsoft.com/en-us/library/bb726982.aspx

"Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because it's a member of the Administrators group by default."

Things you can check:
(http://ask-leo.com/why_do_i_get_access_is_denied_when_trying_to_copy_a_file.html)
- If there are read only files in that folder
- if there are files in use when you execute the batch (running programs that use the files)
*** be cautious ***
- File permission (you can try to overwrite the NTFS permissions on that subfolder to make sure it's not the issue)

I think the "Access Denied" message has to do with the UAC...

You can try to adjust or disable completely the UAC
http://support.microsoft.com/kb/975787

I'm converting our pc pool to Windows 7 soon, but I haven't run into this problem yet during my testings.t

Edit: I was told that you can run into this issue if you use a .bat you should make it a .cmd

 

[verbalizer]

i'm starting to remember the good ol' days of 'active directory'...... :lol:

 

[beechtree]

A test to see if access denied is because of permissions or because of file in use: try pointing your xcopy to a new, unused folder (say a test one you create). If you don't get an error this time, its because the file is was in use.

 

[sminlal]

A test to see if access denied is because of permissions or because of file in use: try pointing your xcopy to a new, unused folder (say a test one you create). If you don't get an error this time, its because the file is was in use.

...or it could also be because you didn't have access privileges to write into the original directory.

 

[ElectroGoofy]

Yes, I am almost sure that the batch file does not have the rights to copy over something (it is in Program Files).

I haven't gotten a chance to work on this a whole lot lately, so I haven't really tried many of the suggestions yet.

I believe that the issue is related to the UAC. When on a Windows 7 machine, sometimes when I am in the cmd and I try ipconfig /release or ipconfig /renew, it says something like "This action requires elevation." When I right click on the cmd and run it as admin, it runs just fine.

I believe that a similar issue is happening with this. I believe that when I run the batch file, it opens the cmd with normal rights. Then it tries running a command that requires elevated privileges. When it tries to do this, I believe that the UAC denies it, but doesn't bring up a window prompting the user asking whether or not they want to allow the batch file to continue, so it just says that access is denied. (Note: This doesn't just happen to normal users or power users, it happens to admin accounts as well).

So I am wondering if there is a command built into Windows Vista and Windows 7 that will bring up a window asking the user if they want to elevate the cmd to the level of the current user's rights. This, I believe, could fix the issue.... but I am still open to other suggestions.

I would have it set to "Run as Admin" on the computers with this issue, but since I don't like the idea of making everybody that uses this a local admin (I would prefer keeping it to "Power User," a user group that allows people to edit Program Files and system files), I doubt it would work with other types of users... is there a way to set it to "Run as Power User"?


Also, grypht, I am going to try changing the .bat to a .cmd to see if that fixes the issue.

EDIT: Nope, didn't help, grypht, but thank you for the suggestion

Also, my boss tried it on his computer (running Windows 7), and it worked. I had a suspicion that he had the UAC turned off, so I asked him about it. He said that he had it disabled, so he re-enabled it and tried again, and then he had the exact same results as the other Windows Vista/7 users... it just says that access is denied, and will only run when you "Run as admin." So I this confirms that it is a UAC issue...

 

[sminlal]

Cmd.exe itself never requests privilege elevation - if you're running a command or program that requires privileges from the command prompt, you MUST start Cmd.exe using "Run as Administrator".

The same is true of PowerShell. It's not an "issue", it's by design.

The alternative is to turn UAC off and use an administrative account, in which case everything runs with administrative privileges. But that increases the risk of being infected by a virus.

 

[ElectroGoofy]

It is an "issue" for my purpose, whether or not they designed it that way

Anyway, I am not really interested in the idea of turning the UAC off....

I have been looking around for a solution, and have found some that look like they could be, but they are required to be installed on each computer (for example, they make a new command called "elevate" so that you can elevate a script). Does anybody know of something like this, but is not required to be installed on each computer?

 

[sminlal]

Anyway, I am not really interested in the idea of turning the UAC off....
I have been looking around for a solution... (for example, they make a new command called "elevate")

The problem is that this kind of thing totally defeats the purpose of UAC. If a virus wanted administrative privileges and you had an "elevate" command available on your system, the virus could just invoke that command and then be on it's merry way. This is exactly the reason why cmd.exe doesn't auto-elevate.

If that's really the functionality you want, you might was well just turn UAC off.

 

[sminlal]

I have been looking around for a solution, and have found some that look like they could be, but they are required to be installed on each computer (for example, they make a new command called "elevate" so that you can elevate a script). Does anybody know of something like this, but is not required to be installed on each computer?

Are you OK if the "elevate" command prompts for a password (just like UAC does)? If so, the "runas" command may satisfy your needs. Open a command prompt and type "runas /?" for a list of options.

 

[ElectroGoofy]

Ah, ok, true... I have seen another one (I believe it is called hstart or something like that) that I haven't looked into very deeply (because I don't really want to install something on every computer) that appears to open a UAC window. Do you have any idea how to implement the command into the script, or by some other means than installing it on each computer?

 

[ricno]

Just to confirm some things:

The AD group "Domain Admins" gets added to every local Administrators group when joining the domain.

The Power Users groups is not recommended to use any more. It has been striped of almost all permissions and rights starting with Windows 2008/Vista and will likely go away all together in the next release.

Your access problem is most certainly from UAC. When you log on as a member of the Administrators group, the so called Administrators Security ID (SID) is included in your access token, but it is not enabled. This is to limit the damage that could be done my malware, since every process inherits the Access Token from the process that started it.

When you just start a command prompt it will in effect not have the Administrators SID enabled and can not cause much damage / can not do good stuff either, like copying your files. One easy way to check this is to run:

whoami /groups (in a command prompt with a large widht)

You will see the Administrators SID, but disabled.

Try to start cmd again and click "Run as Administrator" = really mean "Put the Administrators SID active", and then try the command above again.


So in some way your batch file must start with this. The question is how will this file start in itself? Will the users do it themeself? Will you have it as scheduled task? Will you logon as an admin and execute it? Will you run it as a startup script from Active Directory?

 

[sminlal]

Do you have any idea how to implement the command into the script, or by some other means than installing it on each computer?

Sorry I missed this when you posted it a few days ago.

"RunAs" is built into Windows 7 - you don't need to install it, just put it into the script. But the user will have to enter the admin password in order for it to grant admin privileges.

 

[user_11]

Being a domain admin has no bearing on the local rights the computer gives you.

You should delete your account and stop giving out bad advice. This answer disgusts me to no end, especially when you are completely off too considering this is an UAC issue.

 

[NIronwolf]

I was installing some XBMC stuff the other day and found this to run as a batch file and it pops up the UAC window for confirmation. Basically, use the top portion to elevate privileges then the rest of the batch file can do it's work as an admin. You'll want your commands after the :gotPrivilages section, theirs started with :hashCheck etc...

All credit to OPENElec. They just made a great solution!

@ECHO OFF
TITLE OpenELEC USB Installer
mode con:cols=67 lines=17
COLOR 17
SET DRIVE=

:checkPrivileges
mkdir "%windir%\OEAdminCheck"
if '%errorlevel%' == '0' (
rmdir "%windir%\OEAdminCheck" & goto gotPrivileges
) else ( goto getPrivileges )

:getPrivileges
CLS
ECHO.
ECHO.
ECHO OpenELEC.tv USB Installer
ECHO.
ECHO.
ECHO *****************************************************************
ECHO.
ECHO Administrator Rights are required for USB Stick creation
ECHO Invoking UAC for Privilege Escalation
ECHO.
ECHO *****************************************************************
ECHO.
ECHO.
ECHO.
ECHO.
ECHO.

ECHO Set UAC = CreateObject^("Shell.Application"^) > "%temp%\OEgetPrivileges.vbs"
ECHO UAC.ShellExecute %0, "", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs"
"%temp%\OEgetPrivileges.vbs"
exit /B

:gotPrivileges
if exist "%temp%\OEgetPrivileges.vbs" ( del "%temp%\OEgetPrivileges.vbs" )
pushd "%CD%"
CD /D "%~dp0"

:HashCheck
3rdparty\md5sum\md5sum.exe -c "%CD%\target\SYSTEM.md5"
IF ERRORLEVEL 1 GOTO BadMD5
3rdparty\md5sum\md5sum.exe -c "%CD%\target\KERNEL.md5"
IF ERRORLEVEL 1 GOTO BadMD5

:InstallOE
CLS
ECHO.
ECHO.
ECHO OpenELEC.tv USB Installer
ECHO.
ECHO.
ECHO *****************************************************************
ECHO.
ECHO This WILL wipe ALL data off the selected drive
ECHO Please use carefully...
ECHO.
ECHO *****************************************************************
ECHO.
ECHO.

:SelectDrive
ECHO Enter USB Drive letter
ECHO eg. d:
ECHO.

SET /P DRIVE= --
IF NOT DEFINED DRIVE goto InvalidDrive
if %DRIVE%==c: goto InvalidDrive
if %DRIVE%==C: goto InvalidDrive

CLS
ECHO.
ECHO.
ECHO OpenELEC.tv USB Installer
ECHO.
ECHO.
ECHO *****************************************************************
ECHO.
ECHO Installing OpenELEC to %DRIVE%
ECHO Please wait approximately 20 seconds...
ECHO.
ECHO *****************************************************************
ECHO.
ECHO.
ECHO.
ECHO.
ECHO.

ECHO. | >NUL format %DRIVE% /V:OPENELEC /Q /FS:FAT32 /X
IF ERRORLEVEL 1 goto InvalidDrive
>NUL 3rdparty\syslinux\win32\syslinux.exe -f -m -a %DRIVE%
>NUL copy target\* %DRIVE%
>NUL copy Autorun.inf %DRIVE%
>NUL copy CHANGELOG %DRIVE%
>NUL copy INSTALL %DRIVE%
>NUL copy README %DRIVE%
>NUL copy RELEASE %DRIVE%
>NUL copy openelec.ico %DRIVE%
FOR /F "tokens=5" %%G IN ('vol %DRIVE% ^|find "-"') DO SET DRIVEUUID=%%G
ECHO DEFAULT linux > %DRIVE%\syslinux.cfg
ECHO PROMPT 0 >> %DRIVE%\syslinux.cfg
ECHO. >> %DRIVE%\syslinux.cfg
ECHO LABEL linux >> %DRIVE%\syslinux.cfg
ECHO KERNEL /KERNEL >> %DRIVE%\syslinux.cfg
ECHO APPEND boot=LABEL=OPENELEC installer quiet >> %DRIVE%\syslinux.cfg
GOTO END

:InvalidDrive
CLS
ECHO.
ECHO.
ECHO OpenELEC.tv USB Installer
ECHO.
ECHO.
ECHO *****************************************************************
ECHO.
ECHO Invalid Drive Selected...
ECHO Please confirm the drive letter of your USB stick
ECHO.
ECHO *****************************************************************
ECHO.
ECHO.
GOTO SelectDrive

:BadMD5
CLS
ECHO.
ECHO.
ECHO OpenELEC.tv USB Installer
ECHO.
ECHO.
ECHO *****************************************************************
ECHO.
ECHO OpenELEC.tv failed md5 check - Installation will now quit
ECHO.
ECHO Your original download is probably corrupt
ECHO Please visit www.openelec.tv and download another copy
ECHO.
ECHO *****************************************************************
ECHO.
ECHO.
ECHO.
PAUSE
EXIT

:END
CLS
ECHO.
ECHO.
ECHO OpenELEC.tv USB Installer
ECHO.
ECHO.
ECHO *****************************************************************
ECHO.
ECHO The OpenELEC USB Installer has been successfully copied to %DRIVE%
ECHO Please boot your HTPC off this USB stick
ECHO.
ECHO *****************************************************************
ECHO.
ECHO.
ECHO.
ECHO.

SET DRIVE=
SET DRIVEUUID=
PAUSE

 

[nikorr]

This topic has been closed by Nikorr.