none
AuthorizationManager check failed Runtime Exception when no access to one of the script subfolders RRS feed

  • Question

  • Hello,

    consider this scenario:

    you are a standard user and the execution Policy is set to Unrestricted for the machine (localmachine or for all scopes).

    you want to run a powershell script c:\test\sub1\sub2\script1.ps1

    standard users group have ntfs read permission to c:\test and c:\test\sub1\sub2, but NOT c:\test\sub1

    standard users can browse and read files inside c:\test\sub1\sub2

    The problem is that when running the command powershell.exe -file c:\test\sub1\sub2\script1.ps1

    I get the following error:

    AuthorizationManager check failed.

    CategoryInfo: Not Specified: (:) [], ParentContainsErrorRecordException

    FullyQualifiedErrorId: RuntimeException

    Is it normal ?

    The workaround I've found to make it work is to call the powershell with bypass argument:

    powershell.exe -executionpolicy bypass -file c:\test\sub1\sub2\script1.ps1

    or to add at least the ntfs permission "List folder / read data" to users for the folder c:\test\sub1

    I do ask in the forum because I have this problem with SCCM clients, the folder is c:\windows\ccmcache is not accessible to interactive users, only subfolders which contains packages and scripts. And suddently powershell fails for package running as current logged on users, and with execution Policy set to remotesigned.

    Is there a recent windows update which changed the behavior of powershell ?

    Thank you.




    • Edited by Larry.B.IT Tuesday, October 13, 2015 9:16 AM
    Tuesday, October 13, 2015 9:08 AM

Answers

  • We got a response from MS:

    Cause

    Unfortunately the issue is caused by a design limitation. For AppLocker to work the mechanisms (AiGetFullImagePath function) are querying the full path of the folder structure up to where the allowed for the user application or script is stored, thus breaking up with access denied inside an internal kernel function (GetFinalPathNameByHandleW) when the user does not have at least the desired read access at some point on the folder structure chain and because it is not directly denied by the AppLocker policy no error is presented directly on the screen and only in the event logs is logged.

     

    Resolution

    To resolve the issue the administrator must give the users at least the desired read permissions to user, who have to run these applications or scripts, for all the folder on the chain from the root of the partition up to the folder where the script or application resides. 

    Unfortunately this is not possible in the SCCM portion of our scenario because the CCM Executive is resetting the permissions for the users on the ccmcache folder, under which the scripts, which are being run in the user context, are stored and executed, thus presenting an issue for such scenarios.

     Our SCCM product group has been informed of this behavior. This information is being discussed and reviewed for future updates. Unfortunately, I will not be able to give you any timeline for a patch resolving this scenario.

    • Marked as answer by Larry.B.IT Tuesday, March 8, 2016 12:39 PM
    Tuesday, March 8, 2016 12:39 PM

All replies

  • I would post in "connect" forum or contact MS Support.

    You should also post in SCCM forum for response from the SCCM folks.

    Normally these things happen due to non-accepted usage.  I am pretty sure that ccmcache is not designed to be used by ad-hoc scripts.


    \_(ツ)_/

    Tuesday, October 13, 2015 10:43 AM
    Moderator
  • Tuesday, October 13, 2015 12:16 PM
    Moderator
  • Hello, after a lot of troobleshooting, I did manage to localize the issue:

    The error seems to occurs with the combination of C:\Windows\ccmcache + applocker + standard user

    When I disable the AppLocker (it is just enabled in "audit mode" for scripts), then we have no more issue and CCM scripts (.ps1, .bat or .vbs) in C:\Windows\ccmcache can now execute as logged-on standard users.

    I don't understand why script interpreters are failing with access denied errors whereas applocker is just in audit mode.

    We are opening a support case to MS


    • Edited by Larry.B.IT Thursday, January 14, 2016 10:53 AM
    Thursday, January 14, 2016 10:52 AM
  • We got a response from MS:

    Cause

    Unfortunately the issue is caused by a design limitation. For AppLocker to work the mechanisms (AiGetFullImagePath function) are querying the full path of the folder structure up to where the allowed for the user application or script is stored, thus breaking up with access denied inside an internal kernel function (GetFinalPathNameByHandleW) when the user does not have at least the desired read access at some point on the folder structure chain and because it is not directly denied by the AppLocker policy no error is presented directly on the screen and only in the event logs is logged.

     

    Resolution

    To resolve the issue the administrator must give the users at least the desired read permissions to user, who have to run these applications or scripts, for all the folder on the chain from the root of the partition up to the folder where the script or application resides. 

    Unfortunately this is not possible in the SCCM portion of our scenario because the CCM Executive is resetting the permissions for the users on the ccmcache folder, under which the scripts, which are being run in the user context, are stored and executed, thus presenting an issue for such scenarios.

     Our SCCM product group has been informed of this behavior. This information is being discussed and reviewed for future updates. Unfortunately, I will not be able to give you any timeline for a patch resolving this scenario.

    • Marked as answer by Larry.B.IT Tuesday, March 8, 2016 12:39 PM
    Tuesday, March 8, 2016 12:39 PM