Author Posts

January 1, 2012 at 12:00 am

by jrynlds at 2013-03-05 20:28:11

First I hope I'm in the correct forum... my question is not about how to manage AD with powershell, but this seemed to be the best fit.

I have a small number of servers that are all joined to a Domain. My user account has the "Domain Admin" and "Enterprise Admin" roles, or rather, is a member of these groups. I can RDP into each of the servers (using the default option of only Administrators are able to RDP into the Server).

I have a powershell script that I use to configure new websites on the servers. The script does a check to insure that it has the privileges to run "Import-Module Webadministration". When I run the script as the local Administrator it works fine, but when I run it as my user ("Domain Admin") it fails the check for elevated user. Below is the code that does the check, but even if I comment out the check, I am unable to "Import-Module".

My question then is... Why isn't "Domain Admin" considered an elevated user for the purposes of executing the script? How can I get this to work?

(in the future I will tackle PS Remoting, and deploying new site that way, but for now this is our first set up with AD)

Additional info:
I have "Set-ExecutionPolicy RemoteSigned" for the server where script is being executed.

And this is the function I use to check for admin status. It may not be the best code, but I don't think it is the problem:
function Test-ShellHasAdminRights {
# below code adapted from: http://www.leastprivilege.com/AdminTitl ... Shell.aspx

$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)

if (!($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))){
Write-Host "In order for this deploy script to complete, it will need to install
the PowerShell IIS WebAdministration module/plugin. That requires Admin privileges.
Please close this PS window, and re-open with `"Run as Administrator`"." `
-ForegroundColor Yellow
exit 6
}
}

by DonJ at 2013-03-06 03:47:01

Well, you're checking to see if you're a member of a specific group. The "IsInRole" doesn't do a good job of unwinding nested membership – it's checking for direct membership.

by ArtB0514 at 2013-03-06 06:44:00

Why not use Try/Catch instead?

Try {Import-Module "Module Name" -ErrorAction Stop}
Catch {Write-Warning "In order for this deploy script to complete, it will need to installthe PowerShell IIS WebAdministration module/plugin. That requires Admin privileges.Please close this PS window, and re-open with `"Run as Administrator`"." }

by jrynlds at 2013-03-06 08:25:57

Thank you both for your replies. Both good advice.

The issue I'd like to understand is why the Domain Admin isn't able to insert a module? I'm continuing to search and experiment, and would welcome any additional direction offered.

by jrynlds at 2013-03-06 10:06:21

Thank you all again for reading, and for your input. After thinking more about what was going on, and doing some testing, I have solved the problem.

I'm embarrassed to report that UAC was stopping the execution; by turning UAC off, execution was allowed.