What permissions are required for a Release Manage

2019-05-29 14:53发布

问题:

I've configured the deployment to a web server using a service account. On the target machine remote powershell is enabled and the account has been added to the Remote Management Users group.

I initiate a release and the following error occurs. If I add the service account to the local Administrators group on the web server then it succeeds. I can reproduce the same error by remoting into the web server, under the service account, and attempting to call get-service.

System.AggregateException: 
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
 CategoryInfo :NotSpecified: (:) [Get-Service], InvalidOperationException
 FullyQualifiedErrorId :System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
 ---> System.Management.Automation.RemoteException: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
   --- End of inner exception stack trace ---
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.Invoke(String errorContextMessage, Boolean writeResultToLog, Boolean isCancellable)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.RemoteDeploymentHelper.AcquireMutexOwnerShip(String serviceName, String destinationPath, Int64 deploymentHeartbeatTimeoutSec)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.DeploymentClient.<RunAsync>d__14.MoveNext()

Does anyone know the minimum permissions required for a service account to get this working? I want to avoid adding the account to the Administrators group.

回答1:

Some background information: Rather than just executing your Powershell deployment script against the target server using PSRemoting, it uses PSRemoting to install a Windows Service (VisualStudioRemoteDeployer.exe) on the target server. This service then runs your deployment script locally, and the MSRM server regularly polls this Windows service (see here) to see if it is finished deploying.

I suspect this strange setup has something to do with avoiding the double-hop issue - so that it allows your script to make a 2nd hop from the target server to another server, e.g. for a webservice call.

So you'll need enough permissions to install that Windows service, and according to this post, that means administrative permissions.