dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3931
share rss forum feed

GHz

join:2002-01-02
Needham, MA

Can't Run VSHADOW.EXE in Win7 Except as Builtin Admin

We've written a set of scripts (vb and command-line) for windows xp, vista, and 7, that use the appropriate version of vshadow.exe for each OS version to back up the users' local PST files to our server drive. The script runs fine on windows XP, however, in vista and 7 we run into an issue with User Account Control, where only the inbuilt Administrator account can run the vshadow commands successfully. We've created a special domain user that has local admin permissions on the test machine, and runs the script which calls vshadow.exe. Additionally, we've used group policy to grant this special domain user permissions on the test machine to log on as a batch job, log on as service, and back up files and folders, and perform volume maintenance tasks. We've set the volume shadow copy service to start up automatically on the machine, and have given the special domain user full control of the service via GPOs. Despite all these modifications, the special domain user receives the following error from vshadow.exe in trace mode:
[                   VssClient::Initialize @ vssclient.cpp:  66]] Executing COM call '"CreateVssBackupComponents(&m_pVssObject)"'
 
ERROR: COM call "CreateVssBackupComponents(&m_pVssObject)" failed.
[[                   VssClient::Initialize @ vssclient.cpp:  45]] OUTPUT:
ERROR: COM call "CreateVssBackupComponents(&m_pVssObject)" failed.
- Returned HRESULT = 0x80070005
[[                   VssClient::Initialize @ vssclient.cpp:  45]] OUTPUT: - Returned HRESULT = 0x80070005
- Error text: Access is denied.
 
We've traced the issue to the UAC feature. When UAC is completely disabled on the Win7 test machine, the script runs fine. When enabled UAC prevents anyone (including domain admins who have local admin permissions to the machine) from successfully executing the "CreateVssBackupComponents(&m_pVssObject)" COM call.

We've tried a couple of command line techniques to disable the UAC for the duration of our backup script runtime, such as the well-known:

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0x0 /f

But only the inbuilt Administrator account has the rights to modify the registry in such a way - and a password has to be provided each time (which defeats the whole purpose of the automatic script). We wouldn't want to disable UAC on a permanent basis. Just for the duration of the script run.

Which permission/right are we missing for our special domain user? What is it that allows the inbuilt Administrator to successfully run the COM call, while denying all other administrator class users (local and domain) access? Is there a way to elevate a domain user to superuser temporarily for purposes of executing the script?

Any insight would be greatly appreciated.

Thanks,

-G


Jahntassa
What, I can have feathers
Premium
join:2006-04-14
Conway, SC
kudos:4
I believe, from my dabbles in folder redirection, that Windows 7 grants users exclusive access to their profiles by default. Meaning: If you want what you're doing to work, you need to manually go through and take ownership of the folders, and adjust the ACL's as needed.

Or, run the script as the user whose data you're trying to copy.

There may be a 'slicker' way to do it, but that seems to be the deal.

(Some info gleaned from here »support.microsoft.com/kb/288991)

GHz

join:2002-01-02
Needham, MA
Thanks for the input. To test your theory, I made our domain user the owner of C:\Users (and all sub-folders) with full permissions. Then, I started a command window as the domain user (using runas) and attempted to navigate to a user folder that was not my own. I was blocked with an 'access denied' error, despite Windows telling me that the effective permissions of the domain user were full control and that the user was owner of the folder. What gives? Is there a special Windows 7 permission that blocks users from traversing folders that they don't own that overrides ACLs/ownership? Grr... I'm starting to hate Windows 7


Jahntassa
What, I can have feathers
Premium
join:2006-04-14
Conway, SC
kudos:4
said by GHz:

Is there a special Windows 7 permission that blocks users from traversing folders that they don't own that overrides ACLs/ownership?
From what I can tell, yes. Sortof. The 'Exclusive rights' to user folders flag as well as UAC forcing things to play nice is the best explanation I can give without doing any research into whatever the technical permissions may be.

I find (as with your case) that many people 'hate' Windows 7 because they changed the security schemes. Things that used to work, don't. And in my mind, that can be a good thing. Yes, it means more work on your end, but it also means there's a higher level of security in place. Personally, I don't mind the changes, it's just a matter of what used to work, now, generally doesn't.

That diatribe out of the way, yes, I believe the user profile folders do have an extra 'hidden' set of permissions that can't be touched other than manually overriding them or utilizing the Group Policy settings.

There may be an easier / slicker way to do things. I'm not pretending to be an expert here, so don't take that as the end-all answer.

kc8jwt

join:2005-10-27
Syracuse, OH
reply to GHz
You might try to change in your GPO under the Computer Configuration -> Policies -> Windows Settings -> Local Policies -> User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. There is a choice to elevate with out prompting setting.

We were looking at some Windows 7 stuff in the winter and we were going to deploy it widespread in the school this fall, but we didn't have enough MAK licenses. I actually went out and bought a Windows 7 book that talks about managing Windows 7. I looked in that book and that is where I saw this suggestion.

The worse thing that will happen is that it won't work and you can go back and turn it off.


jester121
Premium
join:2003-08-09
Lake Zurich, IL
There's also a GPO in

Computer config/adm templates/system/user profiles

for:
Do not check for user ownership of user profiles

and:
Add Administrators security group to roaming user profiles