Symantec Management Platform (Notification Server)

Hi,

We have quite many Tasks that run a script as Current logged-on user to copy files to user profile or remove user desktop shortcuts etc. that has been working for many years, but last week I noticed that those scripts won't run anymore and allways get error code -1 after a while. I doesn't matter whar script I run, even just DIR fail with -1. If I change to run the script as "Local System Account" or "Specific user" there is no problem and the script exit with 0. Has anyone else in the forum experienced this and how to solve this problem?

Hi Zebulon,

Could it be what some major win-10 update has been installed and computers need to be logged-on to complete the update process?

BWT: that exact version of SMP do you have? 8.5Ru2 or older?

Thank you,

Alex.

Hi Alex,
The computers in question are running Windows 10 version 1709 and 1809. The problem does not seem to exist on version 1903!?

We are running SMP version 8.5.3073.

Thank you!

Zeb

Upon closer analysis, it turns out that it works on some 1709, but others not. On 1809 I have only tested 2 and there it works on one but not on the other. On 1903 I've only tested 1 and it works. So the version on Windows 10 doesn't seem to matter.

Has a Group Policy been changed so user rights have changed? Or is it related to patching?

Hi Zebulon,

Wild guess – could it be what problematic computers are in state when they need to restart after the windows updates were just installed? If you will go to problematic computer, restart and logon to OS – will it resolve the issue? Another thought - might it be what users uses MS account to logon to OS on these systems?

Thank you,

Alex.

No! No!

Hi Alex,

No, I've restarted both a problematic computer, the SMP (NS) Server and the Task Server, but without any improvement. We allways logon to OS with on prem AD accounts, if that is what you mean?

Thank you!

Hi Zebulon,

OK, understood. Well, maybe you may zip&attach logs from the problematic computer - there should be some info related to the task launch?

The default path is: C:\ProgramData\Symantec\Symantec Agent\Logs

(AD account: OK, yes)

Thank you,

Alex.

AgentLogs.zip attached!

Attachment(s)

AgentLogs_0.zip   167 KB 1 version

I created a support case, just in case. :-)

Does it mean that you are running task using "Current logged-on user" for managed client computer where no one is logged in there, therefore task fails because of that?

No, I get the error when I am logged in.

UAC Level?

Standard (Always notify).

Hi Zebulon,

May you check on problematic systems - does 'currently logged-on user' has access and might create files in windows temp directory? (c:\windows\temp by default).

Thank you,

Alex.

Hi Zebulon,

Each task creates temp file in windows system temp directory with the script which it will run. Per logs from client, the creation of such temp-file fails with 'access denied' error:

-----

Failed to perform file operation 'create' on 'C:\WINDOWS\TEMP\AltirisScript5BCFBE0091FD9B52CE.ps1' with retries: Åtkomst nekad (0x00000005)

-----

It looks like some permitions were removed from the temp directory which makes it impossible to create such temp file. Maybe it is worth to compare temp folder permissions on a system which don;t have the problems with task execution and on a sustem which has such problems.

HTH,

Alex.

I have done a bit more research and discovered that the problem occurs only on computers where the Windows\Temp directory is opened for Read/Execute for Users, which is not standard. The default permission allows Write/Execute, but not Read, see below. There we have the problem! With Standard permissions on the Windows\Temp directory, the problem never arises.

Standard/Default permission on Windows\Temp

BUILTIN\Users: (CI) (S, WD, AD, X)

(CI) container inherit

S - synchronize

WD - write data / add file

AD - append data / add subdirectory

X - execute / traverse