locked
Workflows and Admin Privilege RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi Great Minds,

    I have a PS4 script that runs on a scripting server (2012r2) that makes changes on some other servers (2012r2).  I used workflow for parallel processing in this script, nothing fancy.  So, I granted a service account local admin rights on the remote servers, and kept it a regular user on the scripting server.  When I run the script using Task Scheduler (on the scripting server), it gives this error:

    The workflow 'Main_Workflow' could not be started: Access to the path 'C:\Users
    \Default\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-2052
    xxxxx-xxxxxxxxx-xxxxxxxxxx-xxxxxxx_NI\ee6b40d7-a6a7-4d2b-a70e-8b3cdc44f2fc' is 
    denied.
    At line:405 char:21
    +                     throw (New-Object 
    System.Management.Automation.ErrorRecord $ ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~
        + CategoryInfo          : InvalidArgument: (System.Manageme...etersDictionary:PSBoundParametersDictionary) [], RuntimeException
        + FullyQualifiedErrorId : StartWorkflow.InvalidArgument


    This error goes away after I've granted local admin rights on the scripting server for the service account.

    My question is, does PS Workflow require local admin privilege??  I can't seem to find any documentation that says so.  And if it does require local admin privilege, why??
    Wednesday, July 5, 2017 2:09 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Also, I've done this many times without workflow and it always works (regular user on scripting server and local admin on remote server).
    Wednesday, July 5, 2017 2:19 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Your workflow is trying to write to a location that only admins can access. 

    'C:\Users\Default\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\

    You need to be sure the WF is configured and set for the user account you are using.  Start by logging in as the user and running the WF.  If the WF is installing software then it will need admin rights.

    \_(ツ)_/

    Wednesday, July 5, 2017 2:20 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thank you jrv.  I noticed that too but my code doesn't try to write there.  I think somehow PS tries to do that whenever a workflow is used, which makes me think it's the default behaviour.  If so local admin will always be required but I don't see any reason (nor any MS documentation) for this......
    Wednesday, July 5, 2017 2:25 PM