I developed an ASP.NET MVC web application for running PowerShell scripts.
I am using VS web server and can execute scripts perfectly.
However, the requirement is that users can run scripts against AD to perform actions that their own accounts cannot perform.
Therefore, I use impersonation to switch the identifier before creating the PowerShell workspace:
Runspace runspace = RunspaceFactory.CreateRunspace(config); var currentuser = WindowsIdentity.GetCurrent().Name; if (runspace.RunspaceStateInfo.State == RunspaceState.BeforeOpen) { runspace.Open(); }
I tested using a domain administrator account and I get the following exception when calling runpace.Open ():
Security exception Description: The application attempted to perform an operation not permitted by the security policy. To grant this application the required permissions, contact your system administrator or change the application trust level in the configuration file. Exception Details: System.Security.SecurityException: Requested registry access is not allowed.
The web application works with full trust, and I explicitly added the account that I use to impersonate the group of local administrators of the machine (even if the group of domain admins already exists).
I am using the advapi32.dll LogonUser call to perform an impersonation similar to this post ( http://blogs.msdn.com/webdav_101/archive/2008/09/25/howto-calling-exchange-powershell-from-an-impersonated-thead. aspx )
Any help is appreciated as it is currently a small trial plug.
Thanks Ben
source share