Tuesday, November 27, 2007

STSADM -- Access Denied

While attempting to deploy some SharePoint code via MSBuild, I ran in to the following problem.

I have a msbuild.proj that executes several stsadm commands. These work perfectly when executed from the command-line. However, once they are called from TeamBuild, I get "Access Denied" on the stsadm execution.

The TFS Service account is a member of the Administrators group on the build server. I can login to the build server as the TFS Service account and execute the command-line successfully. This problem only exists when the commands are spawned from TeamBuild.

I have also tried running several EXEC tasks using runas /trustlevel:unrestricted and various other options with no success.

After several, and far too many, hours attempting to resolve the problem myself, I burned a PSS with Microsoft to resolve this issue.

Here is what I had to do. Even though the TFS Service Account was a member of the Administrators group on the Build Server, I continually received Access Denied errors. The suspicion was that the TFS Service Account, when run from TeamBuild, was not executing as an interactive/desktop user. Therefore, there wasn't a profile that was being used. While I don't claim to fully understand why I was getting the errors, we did reach a solution.

I opened regedit and gave full control to the TFS Service Account for the following keys and their sub-keys. I would imagine Read Only access would work, but I have not explored further. Please let me know if you find anything else that may work.

  • HKLM\Software\Microsoft\SystemCertificates\
  • HKLM\Software\Microsoft\EnterpriseCertificates\
  • HKLM\Software\Microsoft\WBEM\

2 comments:

Anonymous said...

Hi,

I have had the same problem but only when I have tried to add groups. All my other stsadm commands work except add group command. I have tried your suggestion but I dont think it applies to me as all the other stsadm commands are working when using MSBuild.

If you have any other suggestions then that would be great.

Thanks.

Brian said...

I am not sure if this will help, but make sure you are providing an email address when you add the group. I am assuming you are calling the adduser option. I believe the email address can be anything. I would recommend using a "do-no-reply" email just to prevent any unwanted spam. If that doesn't help, please post back with more information on the call being made and the error you are receiving. -- Best of luck!