Programmatically unlocking IIS configuration sections in Powershell

Al Henderson picture Al Henderson · Apr 19, 2011 · Viewed 12.4k times · Source

I am writing a powershell script to create and configure a number of websites and virtual directories. I am using the .NET Microsoft.Web.Administration assembly. I have created a new application under the default website and added a new virtual directory to it and it all works well. What I'm trying to do now is set up the authentication options for the virtual directory. I am doing the following in powershell:

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Administration")

$oIIS = new-object Microsoft.Web.Administration.ServerManager
$oWebSite = $oIIS.Sites["Default Web Site"]
$oApp = $oWebSite.Applications["/MyApp"]

$oConfig = $oApp.GetWebConfiguration()

$oAnonAuth = $oConfig.GetSection("system.webServer/security/authentication/anonymousAuthentication")
$oAnonAuth.SetAttributeValue("enabled", "False")

However, the SetAttributeValue command gives me the following error:

"This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false"

From what I have read elsewhere, there are some suggestions to change the XML file for the application to allow overriding. I don't want to have to do that - is there any way to programmatically unlock the configuration to allow me to change it? I don't want any user input into this process at all..

Thanks for any help, Al.


Found the answer I was looking for - but being a new user I can't answer my own question for 24 hrs..

I think I found the code below on this site, but my machine has since rebooted so I've lost the page. However, the following seems to work:

#
# Allow overriding of the security settings.
#
$oGlobalConfig = $oIIS.GetApplicationHostConfiguration()
$oConfig = $oGlobalConfig.GetSection("system.webServer/security/authentication/anonymousAuthentication", "Default Web Site/mySite")
$oConfig.OverrideMode="Allow"
$oIIS.CommitChanges()

#
# Following the commit above, we need a new instance of the configuration object, which we can now 
# modify.
#
$oGlobalConfig = $oIIS.GetApplicationHostConfiguration()
$oConfig = $oGlobalConfig.GetSection("system.webServer/security/authentication/anonymousAuthentication", "Default Web Site/mySite")
$oConfig.SetAttributeValue("enabled", "False")
$oIIS.CommitChanges()

Answer

Daniel Richnak picture Daniel Richnak · Apr 19, 2011

I wrote a blog post about this quite a while back. http://www.danielrichnak.com/powershell-iis7-teach-yoursel/

The below code will loop through everything in system.webserver level and unlock it. You can target different nodes as you see fit.

$assembly = [System.Reflection.Assembly]::LoadFrom("$env:systemroot\system32\inetsrv\Microsoft.Web.Administration.dll")

# helper function to unlock sectiongroups
function unlockSectionGroup($group)
{
    foreach ($subGroup in $group.SectionGroups)
    {
        unlockSectionGroup($subGroup)
    }
    foreach ($section in $group.Sections)
    {
        $section.OverrideModeDefault = "Allow"
    }
}

# initial work
# load ServerManager
$mgr = new-object Microsoft.Web.Administration.ServerManager
# load appHost config
$conf = $mgr.GetApplicationHostConfiguration()

# unlock all sections in system.webServer
unlockSectionGroup(
     $conf.RootSectionGroup.SectionGroups["system.webServer"])

Your solution is similar but different enough that I can't verify what you've got, but since you say it works - sounds good. :)