arcgis-powershell-dsc icon indicating copy to clipboard operation
arcgis-powershell-dsc copied to clipboard

Published 20 hours ago verified publisher icon Esri

"Access is denied" when running Invoke-ArcGISConfiguration from batch file (.bat)

Open ericandersondhshq opened this issue 2 years ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request

Module Version

  • 3.3.1

Affected Resource(s)

  • ArcGIS_Server
  • ArcGIS_Portal
  • ArcGIS_DataStore
  • ArcGIS_WebAdaptor

Configuration Files

{
    "AllNodes": [
        {
            "NodeName": "<REDACTED>",
            "Role": [
                "Server"
            ]
        },
		{
            "NodeName": "<REDACTED>",
            "Role": [
                "Server"
            ]
        }
    ],
    "ConfigData": {
        "Version": "10.8.1",
        "ServerContext": "host",
        "ServerRole": "GeneralPurposeServer",
        "Credentials": {
            "ServiceAccount": {
                "Password": "<REDACTED>",
                "UserName": "<REDACTED>",
                "IsDomainAccount": true,
                "IsMSAAccount": false
            }
        },
        "Server": {
            "LicenseFilePath": "\\\\giishare\\prod\\gis\\software\\esri\\1081\\enterprise\\licenses\\ArcGISGISServerAdvanced_ArcGISServer_957633.prvc",
            "Installer": {
                "Path": "\\\\giishare\\prod\\gis\\software\\esri\\1081\\enterprise\\ArcGIS_Server_Windows_1081_175203.exe",
                "InstallDir": "E:\\Programs\\ArcGIS\\Server",
                "InstallDirPython": "E:\\Python27",
				"PatchesDir": "\\\\giishare\\prod\\gis\\software\\esri\\1081\\enterprise\\patches\\server",
                "EnableArcMapRuntime": true,
                "EnableDotnetSupport": false
            },
            "ServerDirectoriesRootLocation": "\\\\giishare\\prod\\arcgis\\hst\\directories",
            "ConfigStoreLocation": "\\\\giishare\\prod\\arcgis\\hst\\config-store",
            "PrimarySiteAdmin": {
                "UserName": "<REDACTED>",
                "Password": "<REDACTED>"
            }
        }
	}
}

Expected Behavior

Run ArcGIS Install as expected.

Actual Behavior

Getting "Access is denied" error.

Steps to Reproduce

We created a batch (.bat) file with following lines of code:

@echo on
cd /D E:\Logs_1081_Install
PowerShell.exe -ExecutionPolicy Bypass -Command "Invoke-ArcGISConfiguration -ConfigurationParametersFile \\giishare\prod\gis\powershell\gii\config\331\1081\prod-host.json -Mode Install -DebugSwitch"

When we run the .bat file from Windows Task Scheduler, within 1 minute of the task running it creates a Log folder for each of the nodes with a VERBOSE file and an ERROR file, and then task stops running pretty quickly.

VERBOSE log:

7/7/2022 10:19:43 PM: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'. 7/7/2022 10:19:43 PM: Operation 'Invoke CimMethod' complete.

ERROR log:

7/7/2022 10:19:43 PM: Access is denied.

If we run the same Powershell command via the Powershell console, it runs fine. We assume the issue is because we have to run the task under SYSTEM (the local machine). When running from Powershell console under our own admin account, no issues. Unfortunately we cannot run the task under our own admin accounts or as a service account.

We've ensured the task is set to run with "Highest privileges".

What directory permissions are required here? We made sure the SYSTEM thats running the task has full read/write permissions to:

  • the location of the .json config file,
  • the file share directory with all the software .exe's,
  • the C:\Program Files\WindowsPowerShell\Modules\ArcGIS directory on target machines/nodes,
  • and even the C:\Windows\Temp folder on the target machines/nodes (since it looks like first step is extracting from software directory to this temp folder).

ericandersondhshq avatar Jul 08 '22 10:07 ericandersondhshq

Hi @ericandersondhshq,

Have you tried creating a credential object and using/passing in the -Credential parameter with the Invoke-ArcGISConfiguration command? For example:

Invoke-ArcGISConfiguration -ConfigurationParametersFile C:\config\BaseDeployment.json -Mode InstallLicenseConfigure -Credential Domain\username

This way when the task scheduler kicks off as SYSTEM it will run the Invoke-ArcGISConfiguration command as the admin user that has the correct access to the target node(s). Though I am not entirely sure how this would be done in a batch script, might need to use a powershell script instead.

Hope this helps!

Thanks, Cameron K.

cameronkroeker avatar Jul 15 '22 20:07 cameronkroeker

Thank you @cameronkroeker ! This helps. Out of curiosity, do you have any sample Powershell scripts of how to run the Invoke-ArcGISConfiguration command remotely from Task Scheduler? I searched through the Wiki and couldn't find anything.

ericandersondhshq avatar Jul 18 '22 10:07 ericandersondhshq

Hi @cameronkroeker - I just wanted to follow up on this. Do you have a sample Powershell script file (.ps1) that gives an idea of the proper syntax needed to run the Invoke-ArcGISConfiguration command silently (from Task Scheduler). Thank you in advance!

ericandersondhshq avatar Jul 26 '22 15:07 ericandersondhshq