Is there a way for a non admin to run the IIS 6 admin snap in tool? We would
like for our web admin to continue administering IIS, but because of AD
policies, he is pulled out of the local admin group and can't connect to IIS.
TIA
Local admin rights is required.......
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"dusty"
news:CE28C347-C81E-4270-B9D8-90A4B8408E9B@microsoft.com...
> Is there a way for a non admin to run the IIS 6 admin snap in tool? We
> would
> like for our web admin to continue administering IIS, but because of AD
> policies, he is pulled out of the local admin group and can't connect to
> IIS.
>
>
> TIA
I did find the following article.
To allow non-admin users to administer websites in IIS, you can use a tool
called Metabase Explorer (comes with the IIS6 resource kit). Please note
that this solution is not supported by Microsoft nor recommended since it
modifies permissions on certain metabase keys. Please back up your IIS
Metabase before following any of the steps below and test it out in a test
environment before attempting this on a production server.
1) Download resource kit from
http://www.microsoft.com/downloads/details.aspx?FamilyID=56f c92ee-a71...
b628-ade629c89499&DisplayLang=en
2) Open MBExplorer (by default installed at C:\Program Files\IIS
Resources\Metabase Explorer\mbexplorer.exe)
3) Log on as an Admin.
4) Create a special local (or domain) group called WebAdmins and add
appropriate non-Admin users to the group.
5) Right click on the each of the following nodes, select permission and
give the WebAdmins group Read Permissions.
COMPUTERNAME (local) node
LM node
W3SVC node
App Pools node
Filters node
Info node
If the non-admin users will be administering the MSFTP service, repeat the
above steps for approprate node and child nodes of this service.
6) Add the WebAdmins group to the IIS_WPG local group.
These steps granted the local WebAdmins group the necessary permissions to
read the metabase. These above steps are appropriate for both Local groups
and Domain groups.
7) The following steps will grant a specific user permissions to administer
a web site.
8) Right click on the appropriate Web Site(s) node and select Permissions
-- Grant the specific user FULL CONTROL
-- If the new Web Admin will be required to create AppPools, right click
on the AppPool node, select Permissions and grant either WRITE or FULL
CONTROL (as
appropriate) to the user
-- If the new Web Admin will be required to control AppPools ***specific
to the web site*** but not create new App Pools, right click on the
appropriate App Pool
and grant FULL CONTROL or WRITE as appropriate to the user.
9) To enable a specific user to create new websites, right click on the
W3SVC node and grant the specific user FULL CONTROL. If all members of the
"WebAdmins" group
require the ability to create new websites, the group can be granted FULL
CONTROL rather than individual users.
10) Before logging off, create a custom IIS Console and configure it to run
in one of the user modes as follows:
-- Start/Run and enter MMC
-- Click on File then Add/Remove Snapins
-- Click the Add button
-- Select Internet Information Services from the list and Click Add, OK and
OK.
-- From the menu select File then Options
-- In the Options window, select one of the User Modes from the drop down
Console Mode list.
-- Click File then Save As
-- to save the custom MMC to the user's desktop, navigate to the
"Documents and Settings" folder and click on the user's folder, then
double-click on the user's
Desktop folder.
-- Enter the name you want the console to save as and display (i.e.
IISAdmin or IIS_John)
-- Save the MMC and Exit.
11) Exit out of MBExplorer; log on as the new Web Admin and test.
"Bernard Cheah [MVP]" wrote:
> Local admin rights is required.......
>
> --
> Regards,
> Bernard Cheah
> http://www.iis.net/
> http://www.iis-resources.com/
> http://msmvps.com/blogs/bernard/
>
>
> "dusty"
> news:CE28C347-C81E-4270-B9D8-90A4B8408E9B@microsoft.com...
> > Is there a way for a non admin to run the IIS 6 admin snap in tool? We
> > would
> > like for our web admin to continue administering IIS, but because of AD
> > policies, he is pulled out of the local admin group and can't connect to
> > IIS.
> >
> >
> > TIA
>
>
>
Yes, but this is not supported by Microsoft, do it at your own risk.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"dusty"
news:CF1162BE-C828-4601-AF84-59FB07E78F22@microsoft.com...
>I did find the following article.
>
> To allow non-admin users to administer websites in IIS, you can use a tool
> called Metabase Explorer (comes with the IIS6 resource kit). Please note
> that this solution is not supported by Microsoft nor recommended since it
> modifies permissions on certain metabase keys. Please back up your IIS
> Metabase before following any of the steps below and test it out in a test
> environment before attempting this on a production server.
>
> 1) Download resource kit from
> http://www.microsoft.com/downloads/details.aspx?FamilyID=56f c92ee-a71...
> b628-ade629c89499&DisplayLang=en
> 2) Open MBExplorer (by default installed at C:\Program Files\IIS
> Resources\Metabase Explorer\mbexplorer.exe)
> 3) Log on as an Admin.
> 4) Create a special local (or domain) group called WebAdmins and add
> appropriate non-Admin users to the group.
> 5) Right click on the each of the following nodes, select permission and
> give the WebAdmins group Read Permissions.
> COMPUTERNAME (local) node
> LM node
> W3SVC node
> App Pools node
> Filters node
> Info node
> If the non-admin users will be administering the MSFTP service, repeat the
> above steps for approprate node and child nodes of this service.
> 6) Add the WebAdmins group to the IIS_WPG local group.
> These steps granted the local WebAdmins group the necessary permissions to
> read the metabase. These above steps are appropriate for both Local groups
> and Domain groups.
> 7) The following steps will grant a specific user permissions to
> administer
> a web site.
> 8) Right click on the appropriate Web Site(s) node and select Permissions
> -- Grant the specific user FULL CONTROL
> -- If the new Web Admin will be required to create AppPools, right click
> on the AppPool node, select Permissions and grant either WRITE or FULL
> CONTROL (as
> appropriate) to the user
> -- If the new Web Admin will be required to control AppPools ***specific
> to the web site*** but not create new App Pools, right click on the
> appropriate App Pool
> and grant FULL CONTROL or WRITE as appropriate to the user.
> 9) To enable a specific user to create new websites, right click on the
> W3SVC node and grant the specific user FULL CONTROL. If all members of the
> "WebAdmins" group
> require the ability to create new websites, the group can be granted FULL
> CONTROL rather than individual users.
> 10) Before logging off, create a custom IIS Console and configure it to
> run
> in one of the user modes as follows:
> -- Start/Run and enter MMC
> -- Click on File then Add/Remove Snapins
> -- Click the Add button
> -- Select Internet Information Services from the list and Click Add, OK
> and
> OK.
> -- From the menu select File then Options
> -- In the Options window, select one of the User Modes from the drop down
> Console Mode list.
> -- Click File then Save As
> -- to save the custom MMC to the user's desktop, navigate to the
> "Documents and Settings" folder and click on the user's folder, then
> double-click on the user's
> Desktop folder.
> -- Enter the name you want the console to save as and display (i.e.
> IISAdmin or IIS_John)
> -- Save the MMC and Exit.
> 11) Exit out of MBExplorer; log on as the new Web Admin and test.
>
>
> "Bernard Cheah [MVP]" wrote:
>
>> Local admin rights is required.......
>>
>> --
>> Regards,
>> Bernard Cheah
>> http://www.iis.net/
>> http://www.iis-resources.com/
>> http://msmvps.com/blogs/bernard/
>>
>>
>> "dusty"
>> news:CE28C347-C81E-4270-B9D8-90A4B8408E9B@microsoft.com...
>> > Is there a way for a non admin to run the IIS 6 admin snap in tool? We
>> > would
>> > like for our web admin to continue administering IIS, but because of AD
>> > policies, he is pulled out of the local admin group and can't connect
>> > to
>> > IIS.
>> >
>> >
>> > TIA
>>
>>
>>