Run batch file as administrator on Jenkins? - batch-file

We're using Jenkins on Win8 x64 to build (msbuild), package (cspack), run (csrun) and test (nunit) an azure cloud services project. The Azure cloud service emulators need to run as administrator plus we need to bind to ports 80/443 (so can't use "lite" emulators).
We're doing the above via a simple .bat file that Jenkins runs. Typically no user logs into the machine, it boots up and Jenkin's runs as a service that keeps monitoring our GIT repo and emails on failures. An admin manually logs into the machine just for maintenance (eg. apply patches or reboot machine etc)
How do we configure Jenkins to run that .bat as administrator without human interaction?
With a desktop UI we can right click a command prompt, run as admin, acknowledge the UAC prompt, get the elevated privilege prompt and run the .bat file.

Our solution was to run the Jenkins' service as a separate local admin user. After installing Jenkins, Start => 'services' => Scroll to the Jenkins service => right click => properties => "log on" => "this account" => specify a local admin account.
Hopefully in newer Jenkins' builds it can work as the standard NETWORK SERVICE but for some reason it didn't with our box.

One of the solution:
Create bat file in slave.
Create shortcut of the file and right click the shortcut, properties -> Advanced -> check run as
administrator.
Control Panel -> System and Security -> Action
Center -> Change User Account Control Settings and set the level to
"never notify".
run the file on Jenkins
Somehow the file will be executed on slave server but it return failure on Jenkins.

This is My situation:
I need to use admin privileged console to run pywinauto script (written in python) to automate some app which requires admin privileged.
What I had tried:
In my experience, install Windows Jenkins slave as a service creating more issue to take care with, so I don't go this route.
To create a new process and it will open a new admin privileged shell and run command on it. But, in this way, Jenkins will not show its output, say in Blue Ocean.
What worked for me:
Just manually open an admin privileged console to start the your_window_node.jnlp file and then this Jenkins slave will have admin privileged.

If you'll log to the widows machine as an administrator and run the slave agent from this user, everything will be running under the administrator user

Related

Batch file runs fine but not in Task Scheduler

Afternoon everyone,
I've tried to research this topic in depth and I cannot come to a conclusion for my problem. I'm trying to automate a batch file in Task Scheduler to execute two SSIS packages. Currently when I attempt to execute the scheduled task (either waiting for its set schedule or running on demand), task scheduler will show that the task has completed successfully, the "Status" will continue to say "Running" but the destination files are never created/re-created. This is the script:
dtexec /f "D:\SSIS\Folder\Folder\Folder\Package.dtsx"
dtexec /f "D:\SSIS\Folder\Folder\Folder\Package.dtsx"
The SSIS is supposed to pull information from SQL and export it to a CSV which it does wonderfully... If I execute this script in CMD, Powershell, or run my batch file directly.
About my environment:
My script resides on a SQL Server. (Windows Server 2016 Standard)
I have a domain admin account used for scripting permissions (all parent folders including the batch file itself have that domain admin added with full permissions, including the csv destination).
The scheduled task is set to: "Run whether user is logged on or not", "Run with highest privileges", Configured for Windows Vista and Windows Server 2008. I know my credentials are correct for my domain admin account.
In "Actions", "Program/script:" is currently set to "C:\Scripts\file.bat", there is nothing in "Add Arguments (optional):" currently, "Start in (optional):" is set to "C:\Scripts".
So here is what I've tried:
I've set "Program/script:" to "cmd.exe" and added an argument of "file.bat" with a start in as "C:\Scripts", no dice.
I've set "Program/script:" to "Powershell.exe" and set an argument of "-ExecutionPolicy Bypass C:\Scripts\file.bat" with a start in as "C:\Scripts", no luck again.
I added my domain admin account to the local administrators group on the server as well.
I've changed the user/group from my domain admin account to my domain admin account (the one I'm logged into the server with) and set it to "Run only when user is logged on", if this is set and I attempt to run the scheduled task, CMD flashes on screen and disappears before I can read anything (it's still too fast for the script to actually run, it takes ~20 seconds) and the destination file isn't altered.
(This one really stumps me) I've tried to add the script to another scheduled task on the server, that scheduled task will run on schedule and complete every script in the batch file except for these 2 lines. The other scheduled task it was added to uses the same domain admin account, same settings across the board, it even has other similar SSIS packages being run using "dtexec", I don't get it.
Thanks for any input anybody can give me, it's greatly appreciated.
I know this is a super old post, but I just had the same issue and wasn't successful with any other popular solutions around StackOverflow, so I want to put out an alternative solution for anyone still struggling!
When in doubt, double check the user account in the Security Options under Properties (right-click on Task > Properties > first page under "Security Options").
Even though the user that it had selected by default should have permission to execute the script, I had to change the user account to a user with a higher privilege (I'm on a work computer). For me, this meant I had to select the Administrator group on my particular desktop environment.

UAC issue on Windows Server 2008 R2

I have a 20-year-old executable on 64-bit Windows 2008 R2 that needs to run when called from a batch file.
I tried the settings under Compatibility | Privilege Level | Change settings for all users | Run this program as an administrator, but it does not work -- it always brings up the UAC access prompt.
The only way it will run is with User Account Control disabled. I thought about running the batch in a Scheduled Task with the elevated permissions, but if it doesn't work with the Compatibility settings to run as admin, I don't know how it would be any different in Scheduled Tasks. I will be running it with Scheduled Tasks, but right now I am in testing mode.
Also, the paths are hard-coded in the program, so I can't reinstall under Program Files - it has to be directly under C: drive.
Is there something else I can do to get this to run with UAC enabled?
When you login to Windows with an Administrator account, Windows creates two tokens for you: an elevated one that has all your admin privileges, and a limited one that functions more like a regular user token. When the OS detects that you are trying to run something that requires the elevated privileges, it will show a UAC prompt to allow you to confirm that you want to run elevated.
So, if you run the batch file in a way that it already uses an elevated token, you won't get a UAC prompt. Interactively, you can open Command Prompt elevated (which will require a UAC confirmation), and then run the batch file as much as you want without any further prompts. Alternatively, you could run it as a scheduled task. As long as the scheduled task is running with the correct user credentials (you could run under your user account with highest privileges checked, or run it under some system account, or even create a completely new Admin user account), it should be able to run without any UAC prompt.
Bear in mind that as soon as you have the system running a batch file with elevated privileges, anyone who can modify that batch file can compromise your computer. You should run it as an account with as few privileges as possible (while still running successfully), and make sure the batch file itself is secured.

Batch file's Core FTP line is Not running during Scheduled Task. Works if started Manually

I have a simple batch file which needs to be run weekly to upload some files via Core FTP.
I'm using the free version of Core FTP LE.
MySavedProfile is the Site Name of the saved profile I created using Core FTP's site Manager. The profile contains the URL / credentials / etc of the site to connect to.
Here are the contents of the batch file:
SET logf=confirm.log
echo test-start >> %logf%
"C:\Progra~1\CoreFTP\coreftp.exe" -B -s -pasv -O -site MySavedProfile -u "C:\Progra~2\PathToFiles\FileToUpload.txt"
echo test-finish >> %logf%
For the Windows Server 2012 r2 Task Scheduler, I have created a basic, weekly scheduled task on the Task Scheduler Library root which runs the batch file. For this scheduled task I have:
(Under the General tab)
"Run whether user is logged on or not" is selected
"Run with highest privileges" is checked
Configure for = Windows Server 2012 R2
(Under Actions)
Action = Start a program
Program / Script = "C:\Progra~2\PathToFiles\batch.bat"
Start in = C:\Progra~2\PathToFiles\
Here is the weird behavior I am getting:
If I double click on the batch file directly, it works fine and uploads the text file via Core FTP just fine.
However, if I try to let the Windows Task Scheduler run it, it runs everything except the Core FTP line. That is, I get the usual:
test-start
test-finish
in the confirm.log file, but the FileToUpload.txt has not been uploaded to the remote server, and there are no errors from CoreFTP that I can detect.
I have tried this with a service account that has permissions to run batch files, as well as my own account for this scheduled task. I get the same result: it doesn't seem to run that CoreFTP line. At least not via Task Scheduler. I need this upload to be automated.
I've searched Core FTP's documentation, Google, etc. No one seems to have run into this exact issue. I've applied recommendations from distantly related issues, but none of them have worked.
Any help would be greatly appreciated. Thank you.
The only way to do this is to use the full version of Core FTP (that is Core FTP Pro). If you use the LE version you have to check the "Run only when user is logged on" option.
This happens because of the splash screen at the beginning.
If you can't be logged on forever you could create a user that will always be logged on just for these tasks.
Remember to use the -Log option on CoreFTP to check if it is actually doing something.

The system cannot find the specified drive in Jenkins

I want to copy some files from a network shared drive (mounted at my local machine as drive Z). I have written a Batch file to copy the contents of Z drive into my local drive. This batch file runs successfully on cmd, but i am having issue when i trigger it through Jenkins. The Jenkins gives the following error:
"The system cannot find the specified drive"
Any help regarding this, will be greatly appreciated.
Thanks,
Nouman.
If you don't want to use Jenkins-plugins or schedule-Tasks here is a "groovy" way:
By Hand:
You can use the Groovy Script-Console provided by Jenkins>Manage Jenkins>Script Console and execute the command to map the network-drive within the Jenkins-service. (Must be repeated, once the Jenkins-service is stopped)
Automation:
Write your Groovy commands to a file named "init.groovy" and place it in your JENKINS_HOME-directory. So the network-drive gets mapped on Jenkins-startup.
Groovy Commands - Windows:
Check available network drives using the Script-Console:
println "net use".execute().getText()
Your init.groovy would look like this:
def mapdrive = "net use z: \\\\YOUR_REMOTE_MACHINE\\SHARED_FOLDERNAME"
mapdrive.execute()
Yes Jenkins uses different login credentials. To map a drives through Jenkins use below command in Jenkins command prompt:
Subst U: \drive\folder
then after that your queries.
You might run into permission issues. Jenkins might be executed with different user credentials; so it does not know the configured drive for the windows share. Instead of using shell scripts I suggest to use a plugin. There is a set of Publish-over plugins that allow deployments to remote systems via a couple of protocols (ssh, cfis etc). Have a look at the CFIS plugin that allows to send artifacts to a windows share. Once the plugin is configured (ie the host is specified in the Manage Jenkins section) you can add to the post build steps Send files to a windows share where you can specify which file(s) shall be sent to which location.
Had this issue where my jenkins job was unable to read files present on the network drive.
I resolved it by adding "net use" command in your pre-build step. i.e.
Open your job.
Go to Pre Steps
From the drop down, select Execute Windows Batch Command
Enter the following command:
net use E: \[server name][Folder name] "[password]" /user:"[userid]"
Click Save
Execute the job
I was able to read files from my network drive by following the steps mentioned above.
It seemed to be a one time activity as after the initial run, I had removed the batch command from my job and it seemed to remember the mapped drive command.
Try adding debugging commands to that bat file, or as separate build step, such as net use, set (pay attention to vars like like HOMEPATH and USERNAME) and plain dir Z:\.
As said in another answer, most likely reason is that Jenkins runs as SYSTEM user, which has different permissions. One way around that is, go to services (for example open Task Manager, go to Services tab in it, click the Services button at the lower right corner of that tab), find Jenkins service, open it's properties, go to "Log on" tab and set your normal user account as one that runs Jenkins.
Basically you can access your network shared drive (Z) using by servername or IP from jenkins command. Write \\192.168.x.xxx\Your_Folder instead of z:\Your_Folder.
For example:
mkdir \\192.168.x.xxx\Your_Folder
I was trying to copy files from one remote computer to other, the easy solution which worked for me is COPY iphone.exe \192.xx.xx.xx\dev(dev is the folder name on c drive in that ip address)
A similar issue showed up for us on Jenkins slaves set up on Windows Server 2008 following this documentation. The Jenkins agent failed to access the mounted network drives even after configuring the agent service with the correct user credentials.
Troubleshooting:
Jenkins could access the mounted network drives by their drive letters when connected via the JNLP agent (Launch agent via Java Web Start).
It stops recognizing the drive letters soon after we install the agent as a Windows service. Configuring the correct user credentials and restarting the agent does not help.
We could still access the drives via the command line while logged in to the machine with the above user.
Stop the agent service from services.msc and then uninstall it by running the command jenkins-slave.exe uninstall. The slave is disconnected at this point.
Reconnect the slave by launching the JNLP agent via Java Web Start. The agent can now access the network drives again.
Synopsis:
Do not install the slave agent as a Windows service to keep accessing your mounted network drives using drive letters. But this is highly unreliable as the agent might fail to restart after a machine reboot. Alternatively, see if Jenkins can access them via \\<ip_address\of\network\drive>.
In order to access your remote drive
just use the command in cmd prompt
pushd "\sharedDrive\Folder1\DestinationFolder"
mkdir FolderName
popd
pushd >> It navigates to the shared drive by creating a virtual drive..
popd >> Gets you back to the local directory

Running batch file on Remote Desktop login fails

As just extra protection, I am wanting to backup remote sql db to my location nightly. There is no VPN so...
I created a user on the 2008 db server for the sole purpose to log on from my office and download the db bak file nightly. Gave this user read permission on the backup directory (T:\Backup) and added to the remote users group.
I created a Automated task on my workstation that calls a rdp file that successfully connects to the db server as this user.
The rdp file specifies in the "Start a program" tab the following path:
C:\Windows\System32\mstsc.exe T:\Backup\copydb.bat
I have tested both parts:
1) Double-clicking the rdp file will login automatically. (WORKS)
2) I can then manualy open the dos prompt and run the bat file. (WORKS)
However, the bat file does not seem to execute on connection . There is no cmd window. I can douple-click on the bat file and the cmd window will flash and go away but does not execute. The only way I've been able to get it to execute is to open the prompt and then the file.
I thought that's what this would do:
C:\Windows\System32\mstsc.exe T:\Backup\copydb.bat
What am I missing?
This might be your problem.
Refer to this MS support article You cannot create a terminal server session to a Windows Server 2008-based computer by using an .rdp file that runs an initial program
To work around this problem, add the program path to the RemoteApp Programs list. To do this, follow these steps:
Click Start, click Run, type remoteprograms.msc, and then click OK.
In the actions pane, click Add RemoteApp Programs, and then click Next.
Click Browse, locate the program that you want to approve, click Next, and then click Finish.

Resources