While attempting to deploy some SharePoint code via MSBuild, I ran in to the following problem.
I have a msbuild.proj that executes several stsadm commands. These work perfectly when executed from the command-line. However, once they are called from TeamBuild, I get "Access Denied" on the stsadm execution.
The TFS Service account is a member of the Administrators group on the build server. I can login to the build server as the TFS Service account and execute the command-line successfully. This problem only exists when the commands are spawned from TeamBuild.
I have also tried running several EXEC tasks using runas /trustlevel:unrestricted and various other options with no success.
After several, and far too many, hours attempting to resolve the problem myself, I burned a PSS with Microsoft to resolve this issue.
Here is what I had to do. Even though the TFS Service Account was a member of the Administrators group on the Build Server, I continually received Access Denied errors. The suspicion was that the TFS Service Account, when run from TeamBuild, was not executing as an interactive/desktop user. Therefore, there wasn't a profile that was being used. While I don't claim to fully understand why I was getting the errors, we did reach a solution.
I opened regedit and gave full control to the TFS Service Account for the following keys and their sub-keys. I would imagine Read Only access would work, but I have not explored further. Please let me know if you find anything else that may work.
- HKLM\Software\Microsoft\SystemCertificates\
- HKLM\Software\Microsoft\EnterpriseCertificates\
- HKLM\Software\Microsoft\WBEM\
2 comments:
Hi,
I have had the same problem but only when I have tried to add groups. All my other stsadm commands work except add group command. I have tried your suggestion but I dont think it applies to me as all the other stsadm commands are working when using MSBuild.
If you have any other suggestions then that would be great.
Thanks.
I am not sure if this will help, but make sure you are providing an email address when you add the group. I am assuming you are calling the adduser option. I believe the email address can be anything. I would recommend using a "do-no-reply" email just to prevent any unwanted spam. If that doesn't help, please post back with more information on the call being made and the error you are receiving. -- Best of luck!
Post a Comment