Access is denied on some hosts when running deploy
This problem is only affecting about 5% or less of our hosts. I run a deploy task (any task) and particular hosts fail with Access is denied. Im pretty sure something is the matter with the way I've assigned our deploy.service but I can't find any difference between the working systems and the non-working.
Deploy error
AppDomain : PDQDeployConsole.exe
CLR Version : 4.0.30319.42000
Comments :
Computer Name : randobox010.fake.com
Current AppDomain : PDQDeployConsole.exe
Database : C:\ProgramData\Admin Arsenal\PDQ Deploy\Database.db
Date : 2023-12-19T15:43:04.3955049Z
Effective Host Name : randobox010.fake.com
Email :
Entry : C:\Program Files (x86)\Admin Arsenal\PDQ Deploy\PDQDeployConsole.exe
Error : Access is denied
Error Type : AdminArsenal.Runner.FileException
File Path : \\randobox010.fake.com\ADMIN$
License Mode : Enterprise Mode
Machine : PDQSERVER
Manufacturer : Gigabyte boxnology Co., Ltd. (X299 UD4 Pro)
Memory : 127.7 GB (106.8 GB free)
PID : 16652
Process : PDQDeployConsole
Product : PDQ Deploy
SentryEnabled : True
Service Mode : Client
Subject : PDQ Deploy Diagnose Report
User Name : fake.com\deploy.service
Version : 19.3.488.0
Windows : Microsoft Windows 10 Pro (10.0.19045)
Access is denied
AdminArsenal.Runner.FileException
File Path: \\randobox010.fake.com\ADMIN$
Effective Host Name: randobox010.fake.com
Computer Name: randobox010.fake.com
User Name: fake.com\deploy.service
AppDomain: PDQDeployService.exe
Process: PDQDeployService
Machine: PDQSERVER
------- INNER EXCEPTIONS -------
Access is denied
System.ComponentModel.Win32Exception
NativeErrorCode: 5
------- OUTER EXCEPTION -------
Access is denied
AdminArsenal.Runner.FileException
File Path: \\randobox010.fake.com\ADMIN$
Effective Host Name: randobox010.fake.com
Computer Name: randobox010.fake.com
User Name: fake.com\deploy.service
AppDomain: PDQDeployService.exe
Process: PDQDeployService
Machine: PDQSERVER
at AdminArsenal.Runner.Remote.RemoteTargetSystem.<Authenticate>g__AuthenticateInternal|51_0(String sharePath)
at AdminArsenal.Runner.Remote.RemoteTargetSystem.Connect()
at AdminArsenal.Runner.Runner.Process()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at AdminArsenal.Runner.Runner.Process()
Local group policy
Security settings -> Local Policies -> User Rights Assignment -> Log on as a service Contains deploy.service as usual
PDQ server setup
Background service -> deploy.service
Credentials -> deploy.service
Comments
Bump?
This is a good issue to open a ticket up for if you haven't yet.
"Access Denied" is a native Windows error that indicates that the credentials PDQ is attempting to connect with are not valid on the target machine. This will be the Deploy User for PDQ Deploy or the Scan User for PDQ Inventory. We've got an article here that goes over the different sets of credentials available in PDQ products and the permissions needed by each, can you ensure that those are set up properly with the correct permissions? PDQ Credentials Explained
If you're using LAPS to connect to your targets, this article also goes into more detail with some LAPS specific troubleshooting: LAPS Error: Access is Denied