Impossible to deploy a website using Web IIS Deploy Task with a non-admin account

Question

I want to deploy a website using the TFS Release Manager and the Web IIS deployt Task. It works perfectly when the account used is a local admin account. But with another non-admin account, I encountered this error :

##[error]Microsoft.PowerShell.Commands.WriteErrorException: System.AggregateException: Failed to install 'VisualStudioRemoteDeployer1fed642b-3699-404d-be6c-f8edb0a59e0a' from service executable path VisualStudioRemoteDeployer.exe . Consult the logs below:
Exception calling "SetRight" with "2" argument(s): "OpenPolicy failed: 5"
 CategoryInfo :NotSpecified: (:) [], MethodInvocationException
 FullyQualifiedErrorId :Exception
 ---> System.Management.Automation.RemoteException: Exception calling "SetRight" with "2" argument(s): "OpenPolicy failed: 5"
   --- End of inner exception stack trace ---
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.Invoke(String errorContextMessage, Boolean writeResultToLog, Boolean isCancellable)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.RemoteDeploymentHelper.InstallServiceInternal(String serviceSourcePath, String serviceName, String destinationFileName)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.RemoteDeploymentHelper.InstallService(String serviceSourcePath, String serviceName, String destinationFileName)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.DeploymentClient.<RunAsync>d__24.MoveNext()
---> (Inner Exception #0) System.Management.Automation.RemoteException: Exception calling "SetRight" with "2" argument(s): "OpenPolicy failed: 5"<---

I want to know why / which permission this account needs. Browsing the web, I find this post :

https://social.msdn.microsoft.com/Forums/vstudio/en-US/1fecfb5b-8fe5-4e66-80ac-d908a43c8984/winrm-iis-web-app-deployment-privileges-to-target-server?forum=tfsbuild

But the answer is not sufficient. What is the technical reason/needs that this task should be runned with a local admin account.

Thank you very much for your help.

Have you figured it out yet? I got same exact problem. – zs2020 Mar 28 '18 at 18:05 — zs2020, Mar 28 '18 at 18:05

score 1 · Answer 1 · answered Apr 02 '18 at 14:13

I think I figured it out. I followed the tutorial here https://technet.microsoft.com/en-us/library/ff700227.aspx

I think most importantly, this command fixed the problem winrm quickconfig.

PS C:\Windows\system32> winrm quickconfig
WinRM service is already running on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

score 0 · Answer 2 · answered Dec 19 '17 at 13:32

0

That Task, , uses WinRM to communicate with the target machine and WinRM is restricted to Administrators.

If you want to use pure MSDeploy, talking to IIS Management Service through the HTTPS protocol, you can use a different task like MSDeployAllTheThings.

answered Dec 19 '17 at 13:32

Giulio Vian

509
2
10

Thx to reply. No it's not. I can use WinRM with a user which is not in de local admin group but in the WinRMRemoteWMIUsers__ – Florian Dec 20 '17 at 14:48

Impossible to deploy a website using Web IIS Deploy Task with a non-admin account

2 Answers2