IIS 5.0 Manage for non-admin rights

I am running IIS 5.0 on Windows 2000 PRO. Our web developers needed to create
or edit websites, for security reasons I cannot simply give them admin rights
or the password to the admin account.

For security reasons, we create the developers machines with non-admin
profile.
They do not have the proper rights to use the IIS management console!!

Is there a way to provide users without admin rights the ability to use IIS
to create, edit and manage websites?

Any help would be appreciated.

Best Regards

Re: IIS 5.0 Manage for non-admin rights

In all cases, only system Administrators can create websites.

IIS7 will support non-admins to edit and manage their own applications
and websites.

You'll have to use 3rd party control panels to do this prior to IIS7
because those IIS versions do not have/support non-admin administration
out-of-the-box.

//David
http://w3-4u.blogspot.com
//



rbfigueira wrote:
> I am running IIS 5.0 on Windows 2000 PRO. Our web developers needed to create
> or edit websites, for security reasons I cannot simply give them admin rights
> or the password to the admin account.
>
> For security reasons, we create the developers machines with non-admin
> profile.
> They do not have the proper rights to use the IIS management console!!
>
> Is there a way to provide users without admin rights the ability to use IIS
> to create, edit and manage websites?
>
> Any help would be appreciated.
>
> Best Regards

Re: IIS 5.0 Manage for non-admin rights

Hi,

If you are using Windows 2000 Server, you can add the regular user into
Operators to allow non-admin users manage web site configurations.

- Open IIS manager
- Highligh website -> go to properties -> go to operators tab
- add that user into Operator list
- Then that user can manager website by using its own security Context

But on Windows 2000 Pro box, you will not find the operators tab. This is a
by design behavior. IIS5 on Win 2000 Pro and IIS 5.1 on Win XP are designed
for Personal use in developing and testing purpose. It didn't embed the
feature to allow regular user to control website.

So I'd like to suggest you change to a server OS if you want to build a
shared development workstation. However in any cases, creating new web
sites is not allowed for non-admin users.

Please let us know if you have further question. Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: IIS 5.0 Manage for non-admin rights

Hi friends,

"IIS5 on Win 2000 Pro and IIS 5.1 on Win XP are designed for Personal use in
developing and testing purpose."

But this is the case! The machines are for Personal use in developing and
testing purpose! The problem here is that each "developers" machine, for
security reasons, are created with non-admin profile.
But with non-admin profile they cant use the IIS 5 for creating virtual
directories, etc. This is only for testing purpose in his personal developer
machine.
Today, they don’t see in the IIS the folders “FTP, Website…”.

We can give permissions in the registry ... but where?
We have given full control in some registry keys but with no success.

I don’t know if any new Windows 2000 Microsoft fix have chance anything
because we have already created developers machines (IIS5 on Win 2000 Pro)
for non-admin and give full control in the registry keys to IIS and works
just fine. When we want that some “software” installed in that machine
(non-admin profile) works like admin profile, we give full access in the
registry ketys!! This approach works just fine… but now did not work for IIS…

Why don’t work today?!!??

Best regards,
Ricardo Figueira


""WenJun Zhang[msft]"" wrote:

> Hi,
>
> If you are using Windows 2000 Server, you can add the regular user into
> Operators to allow non-admin users manage web site configurations.
>
> - Open IIS manager
> - Highligh website -> go to properties -> go to operators tab
> - add that user into Operator list
> - Then that user can manager website by using its own security Context
>
> But on Windows 2000 Pro box, you will not find the operators tab. This is a
> by design behavior. IIS5 on Win 2000 Pro and IIS 5.1 on Win XP are designed
> for Personal use in developing and testing purpose. It didn't embed the
> feature to allow regular user to control website.
>
> So I'd like to suggest you change to a server OS if you want to build a
> shared development workstation. However in any cases, creating new web
> sites is not allowed for non-admin users.
>
> Please let us know if you have further question. Thanks.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

Re: IIS 5.0 Manage for non-admin rights

> for non-admin and give full control in the registry keys to IIS and works
> just fine. When we want that some "software" installed in that machine
> (non-admin profile) works like admin profile, we give full access in the
> registry ketys!! This approach works just fine... but now did not work for IIS...

Your approach to simply change Registry ACLs does not work all the
time.

IIS website/administration configuration is stored outside the
Registry, so changing Registry Key ACLs has no effect on a non-admin's
ability to administer IIS.

Now, IIS7 on Vista Client will support the exact scenario that you
describe, by design and by default.

So, unfortunately, what you want will not be possible with any existing
version of IIS prior to IIS7. These versions simply do not support
administration by non-local-administrators, by-design.


//David
http://w3-4u.blogspot.com
//


rbfigueira wrote:
> Hi friends,
>
> "IIS5 on Win 2000 Pro and IIS 5.1 on Win XP are designed for Personal use in
> developing and testing purpose."
>
> But this is the case! The machines are for Personal use in developing and
> testing purpose! The problem here is that each "developers" machine, for
> security reasons, are created with non-admin profile.
> But with non-admin profile they cant use the IIS 5 for creating virtual
> directories, etc. This is only for testing purpose in his personal developer
> machine.
> Today, they don't see in the IIS the folders "FTP, Website...".
>
> We can give permissions in the registry ... but where?
> We have given full control in some registry keys but with no success.
>
> I don't know if any new Windows 2000 Microsoft fix have chance anything
> because we have already created developers machines (IIS5 on Win 2000 Pro)
> for non-admin and give full control in the registry keys to IIS and works
> just fine. When we want that some "software" installed in that machine
> (non-admin profile) works like admin profile, we give full access in the
> registry ketys!! This approach works just fine... but now did not work for IIS...
>
> Why don't work today?!!??
>
> Best regards,
> Ricardo Figueira
>
>
> ""WenJun Zhang[msft]"" wrote:
>
> > Hi,
> >
> > If you are using Windows 2000 Server, you can add the regular user into
> > Operators to allow non-admin users manage web site configurations.
> >
> > - Open IIS manager
> > - Highligh website -> go to properties -> go to operators tab
> > - add that user into Operator list
> > - Then that user can manager website by using its own security Context
> >
> > But on Windows 2000 Pro box, you will not find the operators tab. This is a
> > by design behavior. IIS5 on Win 2000 Pro and IIS 5.1 on Win XP are designed
> > for Personal use in developing and testing purpose. It didn't embed the
> > feature to allow regular user to control website.
> >
> > So I'd like to suggest you change to a server OS if you want to build a
> > shared development workstation. However in any cases, creating new web
> > sites is not allowed for non-admin users.
> >
> > Please let us know if you have further question. Thanks.
> >
> > Sincerely,
> >
> > WenJun Zhang
> >
> > Microsoft Online Community Support
> >
> > ==================================================
> >
> > Get notification to my posts through email? Please refer to:
> > http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> > ications.
> >
> > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> > where an initial response from the community or a Microsoft Support
> > Engineer within 1 business day is acceptable. Please note that each follow
> > up response may take approximately 2 business days as the support
> > professional working with you may need further investigation to reach the
> > most efficient resolution. The offering is not appropriate for situations
> > that require urgent, real-time or phone-based interactions or complex
> > project analysis and dump analysis issues. Issues of this nature are best
> > handled working with a dedicated Microsoft Support Engineer by contacting
> > Microsoft Customer Support Services (CSS) at:
> >
> > http://msdn.microsoft.com/subscriptions/support/default.aspx .
> >
> > ==================================================
> >
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >