Grant Users Permissions to Modify IIS without Having Full Admin Ri

We have had to revoke Administrator accounts from all users that are not real
'System Administrators'. The problem is that several of these users do web
development and need to go in to IIS to modify settings/restart it, etc. Can
anyone tell me how this can be done without having the users use an SA
account. I did find the tool IIS 6.0 Resource Kit Tools and have downloaded
it, but when I follow the instructions to right click on a node, everything
is grayed out. Anyone have any idea of how this can be done. Thank you.

Re: Grant Users Permissions to Modify IIS without Having Full Admin Ri

Bern wrote on Tue, 1 Aug 2006 05:54:01 -0700:

> We have had to revoke Administrator accounts from all users that are not
> real 'System Administrators'. The problem is that several of these users
> do web development and need to go in to IIS to modify settings/restart it,
> etc. Can anyone tell me how this can be done without having the users use
> an SA account. I did find the tool IIS 6.0 Resource Kit Tools and have
> downloaded it, but when I follow the instructions to right click on a
> node, everything is grayed out. Anyone have any idea of how this can be
> done. Thank you.

IIRC it can't. IIS7 will, I think, allow non-Administrator level admins.

Dan

Re: Grant Users Permissions to Modify IIS without Having Full Admin Ri

Let me get this right, you "have had to revoke" admin powers, but
you want to find another way to grant admin powers over IIS ??
Does that sound right ?
What "node" shows all grayed out? Site nodes, vdirs, . . . ?

"Bern" wrote in message
news:B5CE6969-C49D-4EF3-A7F4-DBFCA5B8A807@microsoft.com...
> We have had to revoke Administrator accounts from all users that are not
> real
> 'System Administrators'. The problem is that several of these users do
> web
> development and need to go in to IIS to modify settings/restart it, etc.
> Can
> anyone tell me how this can be done without having the users use an SA
> account. I did find the tool IIS 6.0 Resource Kit Tools and have
> downloaded
> it, but when I follow the instructions to right click on a node,
> everything
> is grayed out. Anyone have any idea of how this can be done. Thank you.

Re: Grant Users Permissions to Modify IIS without Having Full Admi

Thanks. I'll check out IIS 7 and see if I can find any info on this.

"Daniel Crichton" wrote:

> Bern wrote on Tue, 1 Aug 2006 05:54:01 -0700:
>
> > We have had to revoke Administrator accounts from all users that are not
> > real 'System Administrators'. The problem is that several of these users
> > do web development and need to go in to IIS to modify settings/restart it,
> > etc. Can anyone tell me how this can be done without having the users use
> > an SA account. I did find the tool IIS 6.0 Resource Kit Tools and have
> > downloaded it, but when I follow the instructions to right click on a
> > node, everything is grayed out. Anyone have any idea of how this can be
> > done. Thank you.
>
> IIRC it can't. IIS7 will, I think, allow non-Administrator level admins.
>
> Dan
>
>
>

Re: Grant Users Permissions to Modify IIS without Having Full Admi

Actually I took a look at it and the node shows up for the server, but is it
saying to create the webadmins account outside of this tool and then grant
access. I know what we need to do sounds strange, but do you know of a way
to allow developers to modify IIS without having to have full blown SA rights
and without having to call the SA's to make the change.

"Roger Abell [MVP]" wrote:

> Let me get this right, you "have had to revoke" admin powers, but
> you want to find another way to grant admin powers over IIS ??
> Does that sound right ?
> What "node" shows all grayed out? Site nodes, vdirs, . . . ?
>
> "Bern" wrote in message
> news:B5CE6969-C49D-4EF3-A7F4-DBFCA5B8A807@microsoft.com...
> > We have had to revoke Administrator accounts from all users that are not
> > real
> > 'System Administrators'. The problem is that several of these users do
> > web
> > development and need to go in to IIS to modify settings/restart it, etc.
> > Can
> > anyone tell me how this can be done without having the users use an SA
> > account. I did find the tool IIS 6.0 Resource Kit Tools and have
> > downloaded
> > it, but when I follow the instructions to right click on a node,
> > everything
> > is grayed out. Anyone have any idea of how this can be done. Thank you.
>
>
>

Re: Grant Users Permissions to Modify IIS without Having Full Admi

http://blogs.msdn.com/david.wang/archive/2006/05/09/Thoughts _on_Delegating_IIS_Configuration_and_Administration.aspx

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Bern" wrote in message
news:00AE6EFE-F155-4703-BA77-E044CFB3DE2D@microsoft.com...
> Thanks. I'll check out IIS 7 and see if I can find any info on this.
>
> "Daniel Crichton" wrote:
>
>> Bern wrote on Tue, 1 Aug 2006 05:54:01 -0700:
>>
>> > We have had to revoke Administrator accounts from all users that are
>> > not
>> > real 'System Administrators'. The problem is that several of these
>> > users
>> > do web development and need to go in to IIS to modify settings/restart
>> > it,
>> > etc. Can anyone tell me how this can be done without having the users
>> > use
>> > an SA account. I did find the tool IIS 6.0 Resource Kit Tools and have
>> > downloaded it, but when I follow the instructions to right click on a
>> > node, everything is grayed out. Anyone have any idea of how this can
>> > be
>> > done. Thank you.
>>
>> IIRC it can't. IIS7 will, I think, allow non-Administrator level admins.
>>
>> Dan
>>
>>
>>

Re: Grant Users Permissions to Modify IIS without Having Full Admi

Thanks so much for the information.

"David Wang [Msft]" wrote:

> http://blogs.msdn.com/david.wang/archive/2006/05/09/Thoughts _on_Delegating_IIS_Configuration_and_Administration.aspx
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Bern" wrote in message
> news:00AE6EFE-F155-4703-BA77-E044CFB3DE2D@microsoft.com...
> > Thanks. I'll check out IIS 7 and see if I can find any info on this.
> >
> > "Daniel Crichton" wrote:
> >
> >> Bern wrote on Tue, 1 Aug 2006 05:54:01 -0700:
> >>
> >> > We have had to revoke Administrator accounts from all users that are
> >> > not
> >> > real 'System Administrators'. The problem is that several of these
> >> > users
> >> > do web development and need to go in to IIS to modify settings/restart
> >> > it,
> >> > etc. Can anyone tell me how this can be done without having the users
> >> > use
> >> > an SA account. I did find the tool IIS 6.0 Resource Kit Tools and have
> >> > downloaded it, but when I follow the instructions to right click on a
> >> > node, everything is grayed out. Anyone have any idea of how this can
> >> > be
> >> > done. Thank you.
> >>
> >> IIRC it can't. IIS7 will, I think, allow non-Administrator level admins.
> >>
> >> Dan
> >>
> >>
> >>
>
>
>

RE: Grant Users Permissions to Modify IIS without Having Full Admi

Thanks so much for the link and the info JJ. This should help me out.

"JJ" wrote:

> This doesn't sound strange at all. In fact that is why IIS 7.0 has come out
> with the ability to assign rights based on delegation.
>
> Check out this recommendation:
> http://www.winserverkb.com/Uwe/Forum.aspx/iis-security/2147/ HowTo-manage-IIS-via-MMC-SnapIn-without-admin-rights
>
> Good Luck!
> Jill JOnes
>
> "Bern" wrote:
>
> > We have had to revoke Administrator accounts from all users that are not real
> > 'System Administrators'. The problem is that several of these users do web
> > development and need to go in to IIS to modify settings/restart it, etc. Can
> > anyone tell me how this can be done without having the users use an SA
> > account. I did find the tool IIS 6.0 Resource Kit Tools and have downloaded
> > it, but when I follow the instructions to right click on a node, everything
> > is grayed out. Anyone have any idea of how this can be done. Thank you.

RE: Grant Users Permissions to Modify IIS without Having Full Admin Ri

This doesn't sound strange at all. In fact that is why IIS 7.0 has come out
with the ability to assign rights based on delegation.

Check out this recommendation:
http://www.winserverkb.com/Uwe/Forum.aspx/iis-security/2147/ HowTo-manage-IIS-via-MMC-SnapIn-without-admin-rights

Good Luck!
Jill JOnes

"Bern" wrote:

> We have had to revoke Administrator accounts from all users that are not real
> 'System Administrators'. The problem is that several of these users do web
> development and need to go in to IIS to modify settings/restart it, etc. Can
> anyone tell me how this can be done without having the users use an SA
> account. I did find the tool IIS 6.0 Resource Kit Tools and have downloaded
> it, but when I follow the instructions to right click on a node, everything
> is grayed out. Anyone have any idea of how this can be done. Thank you.

RE: Grant Users Permissions to Modify IIS without Having Full Admi

I am trying to do the same thing for my web developers (actually application
developers) and I will let you know if I get it working.
I have also had to setup special rights for them to stop and restart
services and actually install services by using Group Policy.
JJ

"Bern" wrote:

> Thanks so much for the link and the info JJ. This should help me out.
>
> "JJ" wrote:
>
> > This doesn't sound strange at all. In fact that is why IIS 7.0 has come out
> > with the ability to assign rights based on delegation.
> >
> > Check out this recommendation:
> > http://www.winserverkb.com/Uwe/Forum.aspx/iis-security/2147/ HowTo-manage-IIS-via-MMC-SnapIn-without-admin-rights
> >
> > Good Luck!
> > Jill JOnes
> >
> > "Bern" wrote:
> >
> > > We have had to revoke Administrator accounts from all users that are not real
> > > 'System Administrators'. The problem is that several of these users do web
> > > development and need to go in to IIS to modify settings/restart it, etc. Can
> > > anyone tell me how this can be done without having the users use an SA
> > > account. I did find the tool IIS 6.0 Resource Kit Tools and have downloaded
> > > it, but when I follow the instructions to right click on a node, everything
> > > is grayed out. Anyone have any idea of how this can be done. Thank you.

RE: Grant Users Permissions to Modify IIS without Having Full Admi

So I "think" I got this to work. I created a local group on the box, added a
domain group (with the web developer domain accounts in it) in to that local
group , then gave the local group full control over everything in the
metabase. I also gave them permissions for the web extensions and app pools
in metabase.

Unfortunately, you can't just set it at the top and tell it to propagate
down, you actually have to set each folder in the tree.

I also had to launch IIS and make sure that the local group had permissions
on each web site that they needed to access.

This will allow my developers to update the sites.

I also gave them full control of the webfolders that they are admins of so
that they can update web content.
Full control of the Inetpub,system32\ Inetserv, microsoft.net and read
access to the IIS logs folder (wherever they've directed them).

The file permissions I have set by GPO (since I have about 8 web servers
that have the load-balanced web site on it) I am looking at copying the
metabase setup by GPO also, so that I can set it on one server, copy the
metabase and then deploy that by GPO.

My developers also created special services for this box and a special event
viewer, so I had to give them permissions to stop, start and delete those
services (along with start/stop for the WWW service) and the ability to clear
that special event log. If you need this info too, let me know and I can post
it.
Good Luck!

Jill

"JJ" wrote:

> I am trying to do the same thing for my web developers (actually application
> developers) and I will let you know if I get it working.
> I have also had to setup special rights for them to stop and restart
> services and actually install services by using Group Policy.
> JJ
>
> "Bern" wrote:
>
> > Thanks so much for the link and the info JJ. This should help me out.
> >
> > "JJ" wrote:
> >
> > > This doesn't sound strange at all. In fact that is why IIS 7.0 has come out
> > > with the ability to assign rights based on delegation.
> > >
> > > Check out this recommendation:
> > > http://www.winserverkb.com/Uwe/Forum.aspx/iis-security/2147/ HowTo-manage-IIS-via-MMC-SnapIn-without-admin-rights
> > >
> > > Good Luck!
> > > Jill JOnes
> > >
> > > "Bern" wrote:
> > >
> > > > We have had to revoke Administrator accounts from all users that are not real
> > > > 'System Administrators'. The problem is that several of these users do web
> > > > development and need to go in to IIS to modify settings/restart it, etc. Can
> > > > anyone tell me how this can be done without having the users use an SA
> > > > account. I did find the tool IIS 6.0 Resource Kit Tools and have downloaded
> > > > it, but when I follow the instructions to right click on a node, everything
> > > > is grayed out. Anyone have any idea of how this can be done. Thank you.