What permissions are required for a Release Management 2013 vNext release using Powershell

时光毁灭记忆、已成空白 提交于 2019-12-08 00:24:37

问题


I've configured the deployment to a web server using a service account. On the target machine remote powershell is enabled and the account has been added to the Remote Management Users group.

I initiate a release and the following error occurs. If I add the service account to the local Administrators group on the web server then it succeeds. I can reproduce the same error by remoting into the web server, under the service account, and attempting to call get-service.

System.AggregateException: 
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
 CategoryInfo :NotSpecified: (:) [Get-Service], InvalidOperationException
 FullyQualifiedErrorId :System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
 ---> System.Management.Automation.RemoteException: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
   --- End of inner exception stack trace ---
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.Invoke(String errorContextMessage, Boolean writeResultToLog, Boolean isCancellable)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.RemoteDeploymentHelper.AcquireMutexOwnerShip(String serviceName, String destinationPath, Int64 deploymentHeartbeatTimeoutSec)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.DeploymentClient.<RunAsync>d__14.MoveNext()

Does anyone know the minimum permissions required for a service account to get this working? I want to avoid adding the account to the Administrators group.


回答1:


Some background information: Rather than just executing your Powershell deployment script against the target server using PSRemoting, it uses PSRemoting to install a Windows Service (VisualStudioRemoteDeployer.exe) on the target server. This service then runs your deployment script locally, and the MSRM server regularly polls this Windows service (see here) to see if it is finished deploying.

I suspect this strange setup has something to do with avoiding the double-hop issue - so that it allows your script to make a 2nd hop from the target server to another server, e.g. for a webservice call.

So you'll need enough permissions to install that Windows service, and according to this post, that means administrative permissions.



来源:https://stackoverflow.com/questions/33962104/what-permissions-are-required-for-a-release-management-2013-vnext-release-using

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!