none
Requested registry access is not allowed. runspace.Open() in powershell custom activity RRS feed

  • Question

  • Hi All,

    I got the following error when non-admin user tried to invoke the PowerShell custom activity.

    Requested registry access is not allowed.

    As per my findings, this exception raised when we tried to open the newly created runspace.

    I used the code as below to create runspace and to open:

    // Call the CreateRunspace() method to create the runspace.
    using (var runspace = RunspaceFactory.CreateRunspace())
    {                    
    //Executes on the thread that called the Invoke method.
            runspace.ThreadOptions = PSThreadOptions.UseCurrentThread;                    
            runspace.Open();

    Please help me to resolve this issue.

    Thanks.


    Wednesday, October 10, 2012 5:48 AM

All replies

  • Please clarify something. When you say "when non-admin user tried to ... custom activity"

    My understanding is that FIMService never impersonate the caller. FIMService is always running in the context of FIMService service account. Can you attach a debugger and confirm the identity in the thread context?


    And to your question:

    >>Requested registry access is not allowed.

    Following my assertions above, you might want to grant more permission to the FIMService service account


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Wednesday, October 10, 2012 7:59 AM
  • Let us say, Administrator created a user "User1" in the FIM. 

    When administrator used the power shell custom activity, working fine.

    But when 'User1' tried to use, he is getting exception as "Requested registry access is not allowed."

    Please suggest a best way to create runspace here as I am new to FIM.

    Thanks.

    Thursday, October 11, 2012 7:51 AM
  • have you tried using the debugger and figure out the what's the user context when you try to create a runspace?

    If you need first class support, you can always contact Microsoft Customer Support


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Thursday, October 11, 2012 7:55 AM
  • Yes, I enabled the debugger and tried to search for error in created logs (messages.svclog and tracelog.svclog)

    But unable to figure out it.

    I have found the error in Search Requests ->  <click on Request> -> General -> Request Workflow Remarks


    Thursday, October 11, 2012 2:29 PM
  • in the debugger, put a breakpoint in the line right before it open the runspace. Type "$user" in the watch window and compare/check the thread identity.


    The FIM Password Reset Blog http://blogs.technet.com/aho/

    Thursday, October 11, 2012 10:21 PM