I am trying to write a DSC resource to manage IIS URL Authorization rules, however when attempting to remove an inherited rule (via Clear-WebConfiguration) instead of removing the rule it is creating a local copy of the rule.
The workaround is to run the Clear-WebConfiguration command twice but this isn't very elegant and results in a warning if the rule we are trying to remove isn't inherited.
I have a few questions in relation to this:
- If this is the expected behaviour is there any way to override this?
- Is there any way to determine via Get-WebConfiguration (or other) if a rule has been inherited or is local?
Steps to reproduce:
1. IIS site (e.g. Default Web Site) has inherited URL Authorization rules (e.g. Allow All Users)
2. In PowerShell execute Clear-WebConfiguration -Filter "/system.webServer/security/authorization/add[@users='*' and @roles='' and @verbs='']" -PSPath "IIS:\sites\Default Web Site"
Expected results:
1. URL Authorization rules are updated to remove Allow All Users directive.
Actual results:
1. URL Authorization rule to Allow All Users is now enabled locally (i.e. not inherited)
2. Web.config contents (below) shows an entry to both remove the (inherited) rule and also contains a local entry to Allow All Users
<?xml version="1.0" encoding="UTF-8"?><configuration><system.webServer><security><authorization><removeusers="*"roles=""verbs=""/><addaccessType="Allow"users="*"/></authorization></security></system.webServer></configuration>
Workaround:
1. Run Clear-WebConfiguration twice to achieve the expected behaviour