Friday, October 22, 2010

Use IIS without Local Administrator Rights

Follow the below steps to allow the user to manage IIS (Internet Information Services) without the local administrator rights:
1) First Login with the local administrator rights.
2) Than to Control Panel and then Add/Remove Programs and then Windows Components. Then, install IIS components.(with i386)
3) After installing IIS, you have to Download “IIS Resource Kit Tools” from the below given link
IIS Resource Kit Tools (http://www.microsoft.com/downloads/en/details.aspx?FamilyId=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en)
4) After Download "IIS Resource Kit Tool" , Install it.
5) Now you have to open file "Metabase Explorer” from the below given path
C:\Program Files\IIS Resources\Metabase Explorer
6) In “IIS Metabase Explorer” window, right click on the computer name and select the “Permissions” tab
7) Now Add the user to whom you want to provide IIS access and give permission as "Read".
8) Now right click on the "LM" node and click on permission
9)If any Security Warning dialog box appears, then just click on NO.
10) Now in Permission , add the user give him with "Read"
11)Than, expand “LM” node and then right click on “W3SVC” node and select Permissions.add the user and give him with "Full" Permissions
12) Now Expand "W3SVC"
13) Right Click on "Filters" and "Info" and select Permission and add the user with "Full" permissions
14) Now ext the Metabase Explorer.
15) You need to logoff now.
16) Now login with the user account to whom you have provided access rights and try to Manage IIS Manage Console.
It will work perfect

This way you can use IIS without providing the user's with Local System Administrator Rights.

Thanks
Raju Gunnal

15 comments:

  1. Thank a lot Raju, i was looking this solution for many days as in my organization i have to allow users with full IIS rights without giving them local admin rights , your solution solved my problem.
    thanks a lot

    ReplyDelete
  2. Raju, I've tried this and I still can't get user that is not local admin to manage IIS (for example create website). The user can see nodes in IIS, but not the contents of them. I've checked permissions in Metabase Explorer 3 times. Am I missing something else?

    ReplyDelete
  3. HI,
    Can you try by giving the full rights instead of "Read" at steps no. 10 and check once

    10) Now in Permission , add the user give him with "Full"

    ReplyDelete
  4. does this solution also work with IIS7.5 in windows server 2008 R2?

    ReplyDelete
  5. Does this solution also work with IIS7.5 in windows server 2008 R2?

    ReplyDelete
  6. I have tried this as well. Created a local test user @ windows server 2003 IIS 6.0 system, made it member of the 'users' group and 'remote desktop users'. Gave it all the full control permissions on every possible key in the metabase as well as full control permissions on the 2 metabase files. It does not work I get access denied when finishing the create website wizard and unexpected error 0x800c800 when trying to create application in home directory tab. I stopped further testing.

    ReplyDelete
  7. For local accounts try "builtin\accountname"

    ReplyDelete
  8. Hello,

    I have managed to get this to work to start and stop web sites. However, the user receives error 'Warning: You have been denied access to this machine' but he is now able to start and stop web sites!

    How do we get rid of this error?

    Thanks, Michael.

    ReplyDelete
  9. Hi Raju, Excellent post...it was very useful..Can you help us to implement the same restrictions for windows 7. The above solution only works for Windows XP.

    Thanks in Advance.

    ReplyDelete
  10. Can we do this script to save our time to configure machine to machine.

    ReplyDelete
  11. The step 6 is not clear , what do you mean by right click on the computer name ?

    ReplyDelete
  12. for windows 7 &8????

    ReplyDelete
  13. Does it work with windows 10 also ??

    ReplyDelete
  14. I do same step but when we logon in to server and open IIS noting Site and Application is showing

    ReplyDelete