Hi,
I am having issues launching OIS5StartPolicy.exe remotely from WinPE. If I run OIS5StartPolicy.exe with all parameters locally on the action server, everything is ok and policy runs.
Scenario:
Server A) Management Server
Server B and C) Action servers
Server D) Windows member server (WinPE stage)
Server A, B, C are in the same domain. Server D is in workgroup? (WinPE)
Once networking is set up on server D, i launch a VB script with credentials that are in Administrators group on all Opalis servers, to remote execute the OIS5StartPolicy.exe command + switches.
"D:\Scripts\WaCT_Opalis\CMDExec\OIS5StartPolicy.exe" /id {3D3E39C5-CFD3-4C55-9C1C-A85016720DA5} /wait /ms:"<MS>" /as:"<AS>" "Server_Name=Server D" > D:\Scripts\WaCT_Opalis\CMDExec\out.txt
What out.txt reveals is "Unable to retrieve Action Server information."
I have enabled WMI on windows firewall, what other rules need to be enabled?
Is this a double hop issue? Server D (WinPe) passes credentials to Server B (Action Server) over WMI, (I can see the security logon events), plus if for example i launch Calc.exe it will show up in task manager running under that user. So the VB script works ok in single hop scenario. But when i launch the OIS5StartPolicy.exe this requires connection to the management server I'm assuming (second hop).
I have also tried to run the script against the Server A (Mgmt Server) with the same out.txt output. So looks like again double hop (communication to Action Servers).
I was looking into computer account delegation in AD, which supposedly enables passing of credentials to remote hosts. (The account I'm using does not have the sensitive account delegation option disabled).
Any help, ideas, if you need more info, please let me know.
Thank you
Stan