I'm writing an application that helps me auto-deploy my applications to my Windows Server 2008 machines. As apart of this process, I need remotely start and stop IIS websites on my 2008 servers from my test machine.
From the scope of my 2008 machine, I'm using:
C:\Windows\System32\inetsrv\appcmd.exe stop site "MyWebsite"
This command does NOT work if I simply run it from the command prompt. The error returned is:
ERROR ( message:The W3SVC service is not available – try starting the service first. )
However this DOES work if I use the command prompt via "Run as Administrator". That's fine & dandy, but I need to be able to run this from another machine. Using a domain account (that is considered an Administrator), my PsExec commaned becomes the following from the perspective of my test (non-2008) machine:
"C:\Program Files\PSTools\psexec.exe" \\my2008machine -u domainuser -p password C:\Windows\System32\inetsrv\appcmd.exe stop site "MyWebsite"
PsExec starts, runs, and exits providing the same error as seen above: just like as if I had run this command from the command prompt -without- "Run as Administrator" on my 2008 machine.
Windows Firewall is turned off, I've set a 'LocalAccountTokenFilterPolicy' as suggested elsewhere, and I'm out of ideas. Any idea how to fix this or work around it?
Best Answer
This issue has been resolved going between machines in the same domain using a domain administrator account (from 2003 R2 --> 2008 R2). This was accomplished by changing UAC settings under the Local Security Policy-->Local Policies-->Security Options. I believe it was a "Run all administrators in Admin Approval mode" setting, and required a reboot.
However, there is still an outstanding issue when crossing the domain boundary: using the same domain administrative user and targeting a 2008 R2 server, PsExec returns an "Access Denied" error.