How to Allow non administrator user to view IIS configuration

Hi dear newsgroup,

does anyone know, how i can give my local or domain non admin users the
right to administer on only to view the iis 6.0 on my w2k3 without giving him
admin-rights?

I've follow this guideline
http://www.derkeiler.com/Newsgroups/microsoft.public.inetser ver.iis.security/2004-03/0132.html
and my user can view APP Pool and SMTP configuration but NOT the Web Site.
Any Idea?


thanks for help,
Fabio

Re: How to Allow non administrator user to view IIS configuration

On Nov 26, 11:30 am, Fabio Lobasso
wrote:
> Hi dear newsgroup,
>
> does anyone know, how i can give my local or domain non admin users the
> right to administer on only to view the iis 6.0 on my w2k3 without giving him
> admin-rights?
>
> I've follow this guidelinehttp://www.derkeiler.com/Newsgroups/microsoft.publi c.inetserver.iis.s...
> and my user can view APP Pool and SMTP configuration but NOT the Web Site.
> Any Idea?
>
> thanks for help,
> Fabio

did you try using the IIS administrator GUI?

Re: How to Allow non administrator user to view IIS configuration

you mean the mmc? with mmc, in IIS6, is not possible to add a management
user... if no, what do you mean for "IIS administrator GUI"? can you send me
a link? thanks a lot, Fabio
"corey" wrote:


>
> did you try using the IIS administrator GUI?
>

Re: How to Allow non administrator user to view IIS configuration

On Nov 27, 4:06 am, Fabio Lobasso
wrote:
> you mean the mmc? with mmc, in IIS6, is not possible to add a management
> user... if no, what do you mean for "IIS administrator GUI"? can you send me
> a link? thanks a lot, Fabio
>
>
>
> "corey" wrote:
>
> > did you try using the IIS administrator GUI?- Hide quoted text -
>
> - Show quoted text -

yes I did and after having verifies, IIS 7 will allow for this but for
older versions ressource kit is needed.
here is what I found:

To allow non-admin users to administer websites in IIS, you can use a
tool
called Metabase Explorer (comes with the IIS6 resource kit). Please
note
that this solution is not supported by Microsoft nor recommended since
it
modifies permissions on certain metabase keys. Please back up your
IIS
Metabase before following any of the steps below and test it out in a
test
environment before attempting this on a production server.

1) Download resource kit from
http://www.microsoft.com/downloads/details.aspx?FamilyID=56f c92ee-a71a-4c73-
b628-ade629c89499&DisplayLang=en
2) Open MBExplorer (by default installed at C:\Program Files\IIS
Resources\Metabase Explorer\mbexplorer.exe)
3) Log on as an Admin.
4) Create a special local (or domain) group called WebAdmins and add
appropriate non-Admin users to the group.
5) Right click on the each of the following nodes, select permission
and
give the WebAdmins group Read Permissions.
COMPUTERNAME (local) node
LM node
W3SVC node
App Pools node
Filters node
Info node
If the non-admin users will be administering the MSFTP service, repeat
the
above steps for approprate node and child nodes of this service.

6) Add the WebAdmins group to the IIS_WPG local group.
These steps granted the local WebAdmins group the necessary
permissions to
read the metabase. These above steps are appropriate for both Local
groups
and Domain groups.

7) The following steps will grant a specific user permissions to
administer
a web site.
8) Right click on the appropriate Web Site(s) node and select
Permissions
-- Grant the specific user FULL CONTROL
-- If the new Web Admin will be required to create AppPools, right
click
on the AppPool node, select Permissions and grant either WRITE or
FULL
CONTROL (as
appropriate) to the user
-- If the new Web Admin will be required to control AppPools
***specific
to the web site*** but not create new App Pools, right click on the
appropriate App Pool
and grant FULL CONTROL or WRITE as appropriate to the user.

9) To enable a specific user to create new websites, right click on
the
W3SVC node and grant the specific user FULL CONTROL. If all members of
the
"WebAdmins" group
require the ability to create new websites, the group can be granted
FULL
CONTROL rather than individual users.

10) Before logging off, create a custom IIS Console and configure it
to run
in one of the user modes as follows:
-- Start/Run and enter MMC
-- Click on File then Add/Remove Snapins
-- Click the Add button
-- Select Internet Information Services from the list and Click Add,
OK and
OK.
-- From the menu select File then Options
-- In the Options window, select one of the User Modes from the drop
down
Console Mode list.
-- Click File then Save As
-- to save the custom MMC to the user's desktop, navigate to the
"Documents and Settings" folder and click on the user's folder, then
double-click on the user's
Desktop folder.
-- Enter the name you want the console to save as and display (i.e.
IISAdmin or IIS_John)
-- Save the MMC and Exit.

11) Exit out of MBExplorer; log on as the new Web Admin and test.

Re: How to Allow non administrator user to view IIS configuration

Hi corey, if you read my first post, I alredy tried this guideline and it
works for appPool, smtp and Extensions but NOT for webSite. This workaround
work only without SP1 on Win2K3!
http://msmvps.com/blogs/bernard/archive/2005/05/08/46074.asp x

Some other Idea?

"corey" wrote:

> On Nov 27, 4:06 am, Fabio Lobasso
> wrote:
> > you mean the mmc? with mmc, in IIS6, is not possible to add a management
> > user... if no, what do you mean for "IIS administrator GUI"? can you send me
> > a link? thanks a lot, Fabio
> >
> >
> >
> > "corey" wrote:
> >
> > > did you try using the IIS administrator GUI?- Hide quoted text -
> >
> > - Show quoted text -
>
> yes I did and after having verifies, IIS 7 will allow for this but for
> older versions ressource kit is needed.
> here is what I found:
>
> To allow non-admin users to administer websites in IIS, you can use a
> tool
> called Metabase Explorer (comes with the IIS6 resource kit). Please
> note
> that this solution is not supported by Microsoft nor recommended since
> it
> modifies permissions on certain metabase keys. Please back up your
> IIS
> Metabase before following any of the steps below and test it out in a
> test
> environment before attempting this on a production server.
>
> 1) Download resource kit from
> http://www.microsoft.com/downloads/details.aspx?FamilyID=56f c92ee-a71a-4c73-
> b628-ade629c89499&DisplayLang=en
> 2) Open MBExplorer (by default installed at C:\Program Files\IIS
> Resources\Metabase Explorer\mbexplorer.exe)
> 3) Log on as an Admin.
> 4) Create a special local (or domain) group called WebAdmins and add
> appropriate non-Admin users to the group.
> 5) Right click on the each of the following nodes, select permission
> and
> give the WebAdmins group Read Permissions.
> COMPUTERNAME (local) node
> LM node
> W3SVC node
> App Pools node
> Filters node
> Info node
> If the non-admin users will be administering the MSFTP service, repeat
> the
> above steps for approprate node and child nodes of this service.
>
> 6) Add the WebAdmins group to the IIS_WPG local group.
> These steps granted the local WebAdmins group the necessary
> permissions to
> read the metabase. These above steps are appropriate for both Local
> groups
> and Domain groups.
>
> 7) The following steps will grant a specific user permissions to
> administer
> a web site.
> 8) Right click on the appropriate Web Site(s) node and select
> Permissions
> -- Grant the specific user FULL CONTROL
> -- If the new Web Admin will be required to create AppPools, right
> click
> on the AppPool node, select Permissions and grant either WRITE or
> FULL
> CONTROL (as
> appropriate) to the user
> -- If the new Web Admin will be required to control AppPools
> ***specific
> to the web site*** but not create new App Pools, right click on the
> appropriate App Pool
> and grant FULL CONTROL or WRITE as appropriate to the user.
>
> 9) To enable a specific user to create new websites, right click on
> the
> W3SVC node and grant the specific user FULL CONTROL. If all members of
> the
> "WebAdmins" group
> require the ability to create new websites, the group can be granted
> FULL
> CONTROL rather than individual users.
>
> 10) Before logging off, create a custom IIS Console and configure it
> to run
> in one of the user modes as follows:
> -- Start/Run and enter MMC
> -- Click on File then Add/Remove Snapins
> -- Click the Add button
> -- Select Internet Information Services from the list and Click Add,
> OK and
> OK.
> -- From the menu select File then Options
> -- In the Options window, select one of the User Modes from the drop
> down
> Console Mode list.
> -- Click File then Save As
> -- to save the custom MMC to the user's desktop, navigate to the
> "Documents and Settings" folder and click on the user's folder, then
> double-click on the user's
> Desktop folder.
> -- Enter the name you want the console to save as and display (i.e.
> IISAdmin or IIS_John)
> -- Save the MMC and Exit.
>
> 11) Exit out of MBExplorer; log on as the new Web Admin and test.
>