IIS 7 and Above
running PS scripts from a webpage / sharepoint site
Last post Sep 23, 2009 03:10 AM by sergeia
Sep 21, 2009 07:47 PM|jezza6|LINK
This is a tricky one..
We need to start and stop several services in certain orders frequently so with powershell thought it would be possible to have a basic HTML page with a few buttons / links to ps1 scripts which start or stop all required services these in the correct order.
However we can't see any way to execute these .ps1 scripts directly from the webpage links..
Also UAC makes this difficult because some of the services we've scripted to start and stop will only execute with elevated privileges.
We have got a crude workaround whereby we can install PoSH v2 and set it's .exe compatibility mode (because it's not a part of version windows 2008 R1) to 'run as administrator', then have each of our web page links open a folder with the ps1 script ready to
be executed. After configuring set-executionpolicy unrestricted (one off) we can then double click the ps1 file, and click continue on the UAC prompt that appears.
However is there a more elegant way of doing this?
Also once PoSH v2 is released to market this workaround will no longer work if the compatibility mode: 'run as administrator' option is removed and/or we upgrade to R2..
Sep 22, 2009 12:02 AM|lextm|LINK
If on IIS 6 or IIS 7, you can try to run the application pool under LocalSystem or a local administrator account and test again.
You can also manipulate Windows services via .NET Framework, but that requires ASP.NET pages and also the above application pool identity changes (or using ASP.NET impersonation).
Sep 22, 2009 12:30 AM|jezza6|LINK
Thanks for the quick reply lextm
With your second suggestion can we manipulate services that would otherwise require a UAC elevated powershell session within windows 2008 / vista?
Would this be by using the WMI classes in powershell or can we avoid PoSH altoghether?
If not using PoSH and not requiring UAC user confirmation how complex would the .NET code be?
Sep 22, 2009 02:51 AM|lextm|LINK
UAC is mainly designed for client applications which are executed by a logon user under his/her account.
I am not sure how Powershell script is called from your pages, but if the application pool runs under LocalSystem or local administrator, the script can be executed under the same identity. If so the permission problem can be resolved.
To be safe, you'd better also post this question to Powershell forum to see if the experts there can provide more insights.
Sep 22, 2009 05:23 PM|sergeia|LINK
I believe you could work around the problem with worker process identity by using PowerShell jobs. Here is how I would approach it (I am planning to write blog post on this topic some time).
1. In your Web application add code that hosts PowerShell. This is fairly trivial. This instance of PowerShell will run at whatever identity worker process runs.
2. From this instance you could start another PowerShell process, locally or remotely, using any credentials that will be sufficient to access configuration or your service. To do this, you have to evecute command start-job programmatically, i.e. get runspace,
create pipeline, create command object, etc. Pass your script to this job as a parameter. Pass your credentials to this job, you could get credentials from the request.
3. After job is done (it will run asynchronously, you could monitor status or execute wait-job), and you want output, execute receive-job and process output that was accumulated. Execute remove-job to clean up.
To get more details, run "help about_jobs" in PowerShell v2.0. As a bonus you could run job on remote computer (remove relative to your server).
Sep 23, 2009 12:52 AM|jezza6|LINK
A blog on this would be great :)
I also found this which could be helpful so will take a look into it tomorrow http://www.leastprivilege.com/HostingPowerShellInASPNET.aspx
Will your technique only run with About_Jobs cmdlet in powershell v2. (we just been told we can't upgrade to v2 as it's still beta..)
Sep 23, 2009 03:10 AM|sergeia|LINK
Yes, jobs are v2.0 feature. This version is actually already released in Windows 7 and will be released
downlevel very soon. You could use it for development, it is very stable. Hosting PowerShell is generally the same in both v1.0 and v2.0. You could start with that.