Requirement for administrator to design resources?

[TickleThePanda]

It would be useful if you did not require having administrator privileges to create a resource. I'm in a situation where I would like to create a module that I will be installing later, currently using a low privilege user.

[johlju]

The code is running mofcomp.exe which uses WMI, those calls need administrator privileges.

Could you provide the an example of what you are running and I can look into what exactly fails.

[TickleThePanda]

The command I'm running is:

> $Key = New-xDscResourceProperty -Name Key -Type String -Attribute
> New-xDscResource -Name TestResource -Property $Key -Path ".\Modules" -ModuleName TestModule

When running it as an administrator, it's fine.

When running the following, as a low privileged user, I get the following error:

Test-AdministratorPrivileges : You do not have Administrator rights to run this script. Please re-run this script as
an Administrator.
At C:\Program Files\WindowsPowerShell\Modules\xDSCResourceDesigner\1.10.0.0\xDSCResourceDesigner.psm1:581 char:13
+     $null = Test-AdministratorPrivileges
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : AdminRightsError,Test-AdministratorPrivileges

[johlju]

As I suspected it needs administrator privileges to run mofcomp.exe to test the schema.

https://github.com/PowerShell/xDSCResourceDesigner/blob/a059a2137cf6f2af112761ed21ea72f6872268c6/xDSCResourceDesigner.psm1#L664

There might be possible to add a switch parameter NoVerify to skip running the test if it is present, but did not look into that.

I label this as an enhancement and help wanted so that anyone in the community can run with this.

[CJHarmath]

This is a pretty limiting design choice going against the concept of "Least privilege", so I would label this as a security issue.

2 problem comes to mind:

• Many enterprise policies deny or discourage local admin for dev's - the risk is just too high for them to pull something from the internet like a package with an init script, etc
• CI servers ideally don't need to run as local admins and most of the times they don't, so they can't run this either ( in case you would want to test creating and using a new DSC resource)

Also, this is "just" a conversion of objects to a text file with a schema validation. It's hard to justify that it needs elevated privileges.
I can see how the mofcompile is useful to validate the design of the xDSCREsourceDesigner module at dev time, but it should not rely on it runtime ideally.