1

I have powershell script which will create the WebApplication and SiteCollection and upload the solution. Creation of WebApplication and SiteCollection for user X works fine but Add-SpUserSolution is failing with UnauthorizedAccessException. Powershell process is running with credentials of user X where as logged in user is Y.

Both user X and Y are farm admin and site collection admin as well as System admin (Db admin too)

What is the possible reason for this exception ?

Regards Jeez

Edit

As suggested by Anders i tried with start-process by invoking SetUpSpApp.ps1 as below

ExecSetup.ps1 (Machine A) start-process powershell C:\SetUpSpApp.ps1 -Credential $USerXCred SetUpSpApp.ps1 (Machine A) function SetUp() { #creation of WebApp using New-SPWebApplication goes here ... $site = New-SPSite $Url -OwnerAlias $OwnerLogin -Name $Name -Template $Template -Language $Language #other stuff .. }

i tried invoking ExecSetup.ps1 using invoke-command from machine B ( logged in user Y)

 invoke-command -ScriptBlock { C:\ExecSetup.ps1 } -Computer "hostname" -Credential $UserXscred

fails with Access denied exception

invoke-command -ScriptBlock { C:\SetUp.ps1 } -Computer "hostname" -Credential $UserXscred

script executes but fails when control reaches the Command New-SPSite with exception User not found exception

Same thing happened when I tried invoking scripts using WMI

 ConnectionOptions options = new ConnectionOptions(); options.Impersonation = ImpersonationLevel.Impersonate; options.Username = "userX"; options.Password = "passwd"; options.EnablePrivileges = true; ManagementScope scope = new ManagementScope( "\\\\MacineA\\root\\cimv2", options); scope.Connect(); ObjectGetOptions objectGetOptions = new ObjectGetOptions(); ManagementPath managementPath = new ManagementPath("Win32_Process"); ManagementClass processClass = new ManagementClass (scope, managementPath, objectGetOptions); ManagementBaseObject inParams = processClass.GetMethodParameters("Create"); // inParams["CommandLine"] = @"powershell.exe c:\ExecSetup.ps1"; inParams["CommandLine"] = ManagementBaseObject outParams = processClass.InvokeMethod("Create", inParams, null); Console.WriteLine("Creation of the process returned: " + outParams["returnValue"]); uint pid = (uint) outParams["processId"];
Improve this question
6
  • You might want to check your event log and 14/LOGS folders to get more detailed information. Commented Apr 20, 2011 at 15:20
  • do you have a stacktrace? Commented Apr 20, 2011 at 15:21
  • @Jaap here is the exception details Add-SPUserSolution : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) At E:\Scripts\CreateWebAppAndCollection.psm1:216 char:33 + $solution = Add-SPUserSolution <<<< -LiteralPath $SolutionPath -Site $Url + CategoryInfo : InvalidData: (Microsoft.Share...AddUserSolution:SPCmdletAddUserSolution) [Add-SPUserSolu tion], UnauthorizedAccessException + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletAddUserSolution Commented Apr 21, 2011 at 4:10
  • If i login using user X's credential and run the same script everything works fine! but if login using Y's credential and try to create WebApp, SiteCollection using X as WebApp owner then creation of WebApp and SiteCollection works fine but Addition of sandboxed solution is failing Commented Apr 21, 2011 at 4:14
  • Are you creating a new Content DB for your web app in the script? Wouldn't user Y need db level permissions on that content DB? Commented Apr 21, 2011 at 9:40

2 Answers 2

Reset to default
4

Don't forget that you also need membership of the SharePoint_Shell_Access role to use PowerShell cmdlets that interact with the content database. Use the Add-SPShellAdmin cmdlet to enable this.

Improve this answer
4
  • Note that the user that can give your user the shell admin permissions to the specific content database need to be shell admin itself. A good bet is your install account. Also remember that the shell that is used to add your permissions must be run with administrative privileges if UAC is enabled Commented Apr 20, 2011 at 19:12
  • thanks for the response but use of Add-SPShellAdmin did not help, am getting the same exception Commented Apr 21, 2011 at 4:12
  • @Anders, UAC is disabled and both logged in user Y and user X running the scripts are system admin Commented Apr 21, 2011 at 4:13
  • yes systems admin, but I agree it is worth trying out assigning user Shell Access for the database. You can get the content databases in PowerShell using Get-SPContentDatabase: Get-SPContentDatabase | Where-Object {$_.Name -eq "WSS_Content"} | Add-SPShellAdmin -UserName yourdom\spadmin Commented Apr 21, 2011 at 10:06
1

How do you start the PowerShell session with another user? I have experienced issues, especially with UAC enabled if you use Run As Other User.

Try instead to use

start-process powershell -Credential yourdom\youruser

Or to run as administrator

start-process powershell -verb runAs

Yet another option is to use Start-Job to run code as another user inside your script. Example:

start-job -scriptblock {get-eventlog -log system} -credential yourdom\youruser

Note that if you need to use SharePoint cmdlets you will need to use -InitializationScript parameter to add the Microsoft.SharePoint.PowerShell snapin:

$job = start-job -InitializationScript {Add-PSSnapin Microsoft.SharePoint.PowerShell} -ScriptBlock {Get-SPFarm} -Credential mydom\svcSPFarm Receive-Job $job

The cool thing about scripting this is also that you can use it in shortcuts or inside PowerShell scripts.

More info on Start-Process and Start-Job

Improve this answer
3
  • I am invoking powershell via WMI and UAC is disabled on the system. Start-Process worked fine, since am passing the credential when i create the powershell process using WMI is not that sufficient ? because powershell so created runs under the account X and I assumed it will have all privilege associated with X Commented Apr 21, 2011 at 4:45
  • could you update the question with the relevant code you use to spawn your PowerShell process? Both out of interest and so I could test if permissions are different Commented Apr 21, 2011 at 10:07
  • Its happening because the invoke-command executes under logged in user's credential ie., Y even though I am passing X's credential as argument to invoke-command (does the passed credential just used to connect to the system?). Is it possible to run invoke-command to execute under X's credential Commented Apr 21, 2011 at 12:19