Programmatically unlocking IIS configuration sections in Powershell
I am writing a powershell script to create and configure a number of websites and virtual directories. I am using the .NET Microsoft.Web.Administration assembly. I have created a new application under the default website and added a new virtual directory to it and it all works well. What I'm trying to do now is set up the authentication options for the virtual directory. I am doing the following in powershell:
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Administration")
$oIIS = new-object Microsoft.Web.Administration.ServerManager
$oWebSite = $oIIS.Sites["Default Web Site"]
$oApp = $oWebSite.Applications["/MyApp"]
$oConfig = $oApp.GetWebConfiguration()
$oAnonAuth = $oConfig.GetSection("system.webServer/security/authentication/anonymousAuthentication")
$oAnonAuth.SetAttributeValue("enabled", "False")
However, the SetAttributeValue command gives me the following error:
"This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false"
From what I have read elsewhere, there are some suggestions to change the XML file for the application to allow overriding. I don't want to have to do that - is there any way to programmatically unlock the configuration to allow me to change it? I don't want any user input into this process at all..
Thanks for any help, Al.
Found the answer I was looking for - but being a new user I can't answer my own question for 24 hrs..
I think I found the code below on this site, but my machine has since rebooted so I've lost the page. However, the following seems to work:
#
# Allow overriding of the security settings.
#
$oGlobalConfig = $oIIS.GetApplicationHostConfiguration()
$oConfig = $oGlobalConfig.GetSection("system.webServer/security/authentication/anonymousAuthentication", "Default Web Site/mySite")
$oConfig.OverrideMode="Allow"
$oIIS.CommitChanges()
#
# Following the commit above, we need a new instance of the configuration object, which we can now
# modify.
#
$oGlobalConfig = $oIIS.GetApplicationHostConfiguration()
$oConfig = $oGlobalConfig.GetSection("system.webServer/security/authentication/anonymousAuthentication", "Default Web Site/mySite")
$oConfig.SetAttributeValue("enabled", "False")
$oIIS.CommitChanges()
Answer
I wrote a blog post about this quite a while back. http://www.danielrichnak.com/powershell-iis7-teach-yoursel/
The below code will loop through everything in system.webserver level and unlock it. You can target different nodes as you see fit.
$assembly = [System.Reflection.Assembly]::LoadFrom("$env:systemroot\system32\inetsrv\Microsoft.Web.Administration.dll")
# helper function to unlock sectiongroups
function unlockSectionGroup($group)
{
foreach ($subGroup in $group.SectionGroups)
{
unlockSectionGroup($subGroup)
}
foreach ($section in $group.Sections)
{
$section.OverrideModeDefault = "Allow"
}
}
# initial work
# load ServerManager
$mgr = new-object Microsoft.Web.Administration.ServerManager
# load appHost config
$conf = $mgr.GetApplicationHostConfiguration()
# unlock all sections in system.webServer
unlockSectionGroup(
$conf.RootSectionGroup.SectionGroups["system.webServer"])
Your solution is similar but different enough that I can't verify what you've got, but since you say it works - sounds good. :)