Unable to Import-Module as Domain Admin

by jrynlds at 2013-03-05 20:28:11

First I hope I’m in the correct forum… my question is not about how to manage AD with powershell, but this seemed to be the best fit.

I have a small number of servers that are all joined to a Domain. My user account has the “Domain Admin” and “Enterprise Admin” roles, or rather, is a member of these groups. I can RDP into each of the servers (using the default option of only Administrators are able to RDP into the Server).

I have a powershell script that I use to configure new websites on the servers. The script does a check to insure that it has the privileges to run “Import-Module Webadministration”. When I run the script as the local Administrator it works fine, but when I run it as my user (“Domain Admin”) it fails the check for elevated user. Below is the code that does the check, but even if I comment out the check, I am unable to “Import-Module”.

My question then is… Why isn’t “Domain Admin” considered an elevated user for the purposes of executing the script? How can I get this to work?

(in the future I will tackle PS Remoting, and deploying new site that way, but for now this is our first set up with AD)

Additional info:
I have “Set-ExecutionPolicy RemoteSigned” for the server where script is being executed.

And this is the function I use to check for admin status. It may not be the best code, but I don’t think it is the problem:
function Test-ShellHasAdminRights {
# below code adapted from: http://www.leastprivilege.com/AdminTitl … Shell.aspx

$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)

if (!($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))){
Write-Host “In order for this deploy script to complete, it will need to install
the PowerShell IIS WebAdministration module/plugin. That requires Admin privileges.
Please close this PS window, and re-open with &quot;Run as Administrator“.” <br> -ForegroundColor Yellow<br> exit 6<br> }<br>}</code></blockquote>by DonJ at 2013-03-06 03:47:01<blockquote>Well, you're checking to see if you're a member of a specific group. The &quot;IsInRole&quot; doesn't do a good job of unwinding nested membership - it's checking for direct membership.</blockquote>by ArtB0514 at 2013-03-06 06:44:00<blockquote>Why not use Try/Catch instead?<br><br><code>Try {Import-Module &quot;Module Name&quot; -ErrorAction Stop}<br>Catch {Write-Warning &quot;In order for this deploy script to complete, it will need to installthe PowerShell IIS WebAdministration module/plugin. That requires Admin privileges.Please close this PS window, and re-open with “Run as Administrator`”.” }
by jrynlds at 2013-03-06 08:25:57
Thank you both for your replies. Both good advice.

The issue I’d like to understand is why the Domain Admin isn’t able to insert a module? I’m continuing to search and experiment, and would welcome any additional direction offered.
by jrynlds at 2013-03-06 10:06:21
Thank you all again for reading, and for your input. After thinking more about what was going on, and doing some testing, I have solved the problem.

I’m embarrassed to report that UAC was stopping the execution; by turning UAC off, execution was allowed.