Tuesday, November 27, 2007

STSADM -- Access Denied

While attempting to deploy some SharePoint code via MSBuild, I ran in to the following problem.

I have a msbuild.proj that executes several stsadm commands. These work perfectly when executed from the command-line. However, once they are called from TeamBuild, I get "Access Denied" on the stsadm execution.

The TFS Service account is a member of the Administrators group on the build server. I can login to the build server as the TFS Service account and execute the command-line successfully. This problem only exists when the commands are spawned from TeamBuild.

I have also tried running several EXEC tasks using runas /trustlevel:unrestricted and various other options with no success.

After several, and far too many, hours attempting to resolve the problem myself, I burned a PSS with Microsoft to resolve this issue.

Here is what I had to do. Even though the TFS Service Account was a member of the Administrators group on the Build Server, I continually received Access Denied errors. The suspicion was that the TFS Service Account, when run from TeamBuild, was not executing as an interactive/desktop user. Therefore, there wasn't a profile that was being used. While I don't claim to fully understand why I was getting the errors, we did reach a solution.

I opened regedit and gave full control to the TFS Service Account for the following keys and their sub-keys. I would imagine Read Only access would work, but I have not explored further. Please let me know if you find anything else that may work.

  • HKLM\Software\Microsoft\SystemCertificates\
  • HKLM\Software\Microsoft\EnterpriseCertificates\
  • HKLM\Software\Microsoft\WBEM\


Anonymous said...


I have had the same problem but only when I have tried to add groups. All my other stsadm commands work except add group command. I have tried your suggestion but I dont think it applies to me as all the other stsadm commands are working when using MSBuild.

If you have any other suggestions then that would be great.


Brian said...

I am not sure if this will help, but make sure you are providing an email address when you add the group. I am assuming you are calling the adduser option. I believe the email address can be anything. I would recommend using a "do-no-reply" email just to prevent any unwanted spam. If that doesn't help, please post back with more information on the call being made and the error you are receiving. -- Best of luck!