Unable to Import-Module as Domain Admin

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 6 years, 5 months ago.

  • Author
  • #6302

    by jrynlds at 2013-03-05 20:28:11

    First I hope I'm in the correct forum... my question is not about how to manage AD with powershell, but this seemed to be the best fit.

    I have a small number of servers that are all joined to a Domain. My user account has the "Domain Admin" and "Enterprise Admin" roles, or rather, is a member of these groups. I can RDP into each of the servers (using the default option of only Administrators are able to RDP into the Server).

    I have a powershell script that I use to configure new websites on the servers. The script does a check to insure that it has the privileges to run "Import-Module Webadministration". When I run the script as the local Administrator it works fine, but when I run it as my user ("Domain Admin") it fails the check for elevated user. Below is the code that does the check, but even if I comment out the check, I am unable to "Import-Module".

    My question then is... Why isn't "Domain Admin" considered an elevated user for the purposes of executing the script? How can I get this to work?

    (in the future I will tackle PS Remoting, and deploying new site that way, but for now this is our first set up with AD)

    Additional info:
    I have "Set-ExecutionPolicy RemoteSigned" for the server where script is being executed.

    And this is the function I use to check for admin status. It may not be the best code, but I don't think it is the problem:
    function Test-ShellHasAdminRights {
    # below code adapted from: http://www.leastprivilege.com/AdminTitl ... Shell.aspx

    $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
    $p = New-Object System.Security.Principal.WindowsPrincipal($id)

    if (!($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))){
    Write-Host "In order for this deploy script to complete, it will need to install
    the PowerShell IIS WebAdministration module/plugin. That requires Admin privileges.
    Please close this PS window, and re-open with `"Run as Administrator`"." `
    -ForegroundColor Yellow
    exit 6

    by DonJ at 2013-03-06 03:47:01

    Well, you're checking to see if you're a member of a specific group. The "IsInRole" doesn't do a good job of unwinding nested membership – it's checking for direct membership.

    by ArtB0514 at 2013-03-06 06:44:00

    Why not use Try/Catch instead?

    Try {Import-Module "Module Name" -ErrorAction Stop}
    Catch {Write-Warning "In order for this deploy script to complete, it will need to installthe PowerShell IIS WebAdministration module/plugin. That requires Admin privileges.Please close this PS window, and re-open with `"Run as Administrator`"." }

    by jrynlds at 2013-03-06 08:25:57

    Thank you both for your replies. Both good advice.

    The issue I'd like to understand is why the Domain Admin isn't able to insert a module? I'm continuing to search and experiment, and would welcome any additional direction offered.

    by jrynlds at 2013-03-06 10:06:21

    Thank you all again for reading, and for your input. After thinking more about what was going on, and doing some testing, I have solved the problem.

    I'm embarrassed to report that UAC was stopping the execution; by turning UAC off, execution was allowed.

You must be logged in to reply to this topic.