by jrynlds at 2013-03-05 20:28:11
First I hope I’m in the correct forum… my question is not about how to manage AD with powershell, but this seemed to be the best fit.by jrynlds at 2013-03-06 08:25:57
I have a small number of servers that are all joined to a Domain. My user account has the "Domain Admin" and "Enterprise Admin" roles, or rather, is a member of these groups. I can RDP into each of the servers (using the default option of only Administrators are able to RDP into the Server).
I have a powershell script that I use to configure new websites on the servers. The script does a check to insure that it has the privileges to run "Import-Module Webadministration". When I run the script as the local Administrator it works fine, but when I run it as my user ("Domain Admin") it fails the check for elevated user. Below is the code that does the check, but even if I comment out the check, I am unable to "Import-Module".
My question then is… Why isn’t "Domain Admin" considered an elevated user for the purposes of executing the script? How can I get this to work?
(in the future I will tackle PS Remoting, and deploying new site that way, but for now this is our first set up with AD)
Additional info:
I have "Set-ExecutionPolicy RemoteSigned" for the server where script is being executed.
And this is the function I use to check for admin status. It may not be the best code, but I don’t think it is the problem:function Test-ShellHasAdminRights {
# below code adapted from: http://www.leastprivilege.com/AdminTitl … Shell.aspx
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)
if (!($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))){
Write-Host "In order for this deploy script to complete, it will need to install
the PowerShell IIS WebAdministration module/plugin. That requires Admin privileges.
Please close this PS window, and re-open with"Run as Administrator"."<br> -ForegroundColor Yellow<br> exit 6<br> }<br>}</code></blockquote>by DonJ at 2013-03-06 03:47:01<blockquote>Well, you're checking to see if you're a member of a specific group. The "IsInRole" doesn't do a good job of unwinding nested membership - it's checking for direct membership.</blockquote>by ArtB0514 at 2013-03-06 06:44:00<blockquote>Why not use Try/Catch instead?<br><br><code>Try {Import-Module "Module Name" -ErrorAction Stop}<br>Catch {Write-Warning "In order for this deploy script to complete, it will need to installthe PowerShell IIS WebAdministration module/plugin. That requires Admin privileges.Please close this PS window, and re-open with"Run as Administrator`"." }
Thank you both for your replies. Both good advice.by jrynlds at 2013-03-06 10:06:21
The issue I’d like to understand is why the Domain Admin isn’t able to insert a module? I’m continuing to search and experiment, and would welcome any additional direction offered.
Thank you all again for reading, and for your input. After thinking more about what was going on, and doing some testing, I have solved the problem.
I’m embarrassed to report that UAC was stopping the execution; by turning UAC off, execution was allowed.