HowTo manage IIS via MMC SnapIn without admin-rights...
Peter R.
does anyone know, how i can give my webmaster the right to administer the
iis 6.0 on my w2k3 domaincontroller without giving him admin-rights?
thanks for help,
peter
Yogita Manghnani [MSFT]
To allow non-admin users to administer websites in IIS, you can use a tool
called Metabase Explorer (comes with the IIS6 resource kit). Please note
that this solution is not supported by Microsoft nor recommended since it
modifies permissions on certain metabase keys. Please back up your IIS
Metabase before following any of the steps below and test it out in a test
environment before attempting this on a production server.
1) Download resource kit from
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-
b628-ade629c89499&DisplayLang=en
2) Open MBExplorer (by default installed at C:\Program Files\IIS
Resources\Metabase Explorer\mbexplorer.exe)
3) Log on as an Admin.
4) Create a special local (or domain) group called WebAdmins and add
appropriate non-Admin users to the group.
5) Right click on the each of the following nodes, select permission and
give the WebAdmins group Read Permissions.
COMPUTERNAME (local) node
LM node
W3SVC node
App Pools node
Filters node
Info node
If the non-admin users will be administering the MSFTP service, repeat the
above steps for approprate node and child nodes of this service.
6) Add the WebAdmins group to the IIS_WPG local group.
These steps granted the local WebAdmins group the necessary permissions to
read the metabase. These above steps are appropriate for both Local groups
and Domain groups.
7) The following steps will grant a specific user permissions to administer
a web site.
8) Right click on the appropriate Web Site(s) node and select Permissions
-- Grant the specific user FULL CONTROL
-- If the new Web Admin will be required to create AppPools, right click
on the AppPool node, select Permissions and grant either WRITE or FULL
CONTROL (as
appropriate) to the user
-- If the new Web Admin will be required to control AppPools ***specific
to the web site*** but not create new App Pools, right click on the
appropriate App Pool
and grant FULL CONTROL or WRITE as appropriate to the user.
9) To enable a specific user to create new websites, right click on the
W3SVC node and grant the specific user FULL CONTROL. If all members of the
"WebAdmins" group
require the ability to create new websites, the group can be granted FULL
CONTROL rather than individual users.
10) Before logging off, create a custom IIS Console and configure it to run
in one of the user modes as follows:
-- Start/Run and enter MMC
-- Click on File then Add/Remove Snapins
-- Click the Add button
-- Select Internet Information Services from the list and Click Add, OK and
OK.
-- From the menu select File then Options
-- In the Options window, select one of the User Modes from the drop down
Console Mode list.
-- Click File then Save As
-- to save the custom MMC to the user's desktop, navigate to the
"Documents and Settings" folder and click on the user's folder, then
double-click on the user's
Desktop folder.
-- Enter the name you want the console to save as and display (i.e.
IISAdmin or IIS_John)
-- Save the MMC and Exit.
11) Exit out of MBExplorer; log on as the new Web Admin and test.
Let me know if this helps and if you have any questions.
Thanks,
Yogita Manghnani
Microsoft Developer Support
Internet Information Server
*********************************************************************
>>Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.<<
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
© 2003 Microsoft Corporation. All rights reserved.
*********************************************************************