Re: Access to IIS 6 console on Server 2003

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 10/31/03

• Next message: Wei-Dong Xu [MSFT]: "RE: IIS Lockdown Tool and Permissions"
• Previous message: David Wang [Msft]: "Re: Password Change Script Problems"
• In reply to: Brian: "Access to IIS 6 console on Server 2003"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 30 Oct 2003 22:18:40 -0800

The only way to administer IIS6 via the MMC console is if the user is in the
local Administrators group.

This is due to the fact that the metabase which contains the configuration
information is ACL'd to the Administrators group (amongst others). Also,
the UI happens to make an operation to the metabase that will only succeed
if the user is in Administrators (and fails otherwise).

So, using the UI to administer IIS6 without the user being in the
Administrators group is pretty impossible. Commandline-based scripts and
custom Web-based administration can probably work in conjunction with
modifying the ACLs in the metabase, but I'm not aware of it ever being
tested nor tried.

Delegated administration is something that really hasn't been a scenario in
IIS6, though we are aware that it's lacking and needs improvement.

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Brian" <anonymous@discussions.microsoft.com> wrote in message
news:0ea401c39e45$64480780$a601280a@phx.gbl...
Greetings,
I'm trying to limit web developers to only having admin
access in IIS6.  Seems they have to be in Admin group on
Server 2003 to even open IIS6 console.  Any suggestions on
if I can create a group and assign a specific ACL for
admin access is IIS6 only?
Thanks,
Brian

---

• Next message: Wei-Dong Xu [MSFT]: "RE: IIS Lockdown Tool and Permissions"
• Previous message: David Wang [Msft]: "Re: Password Change Script Problems"
• In reply to: Brian: "Access to IIS 6 console on Server 2003"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: no operators tab in IIS 6.0 ... This feature was intentionally removed from IIS6. ... Non administrators cannot ... I believe a tool and whitepaper will come out shortly on how to configure ... can't assign permissions to web site operators. ... (microsoft.public.inetserver.iis.security) Re: administrator on box also on domain? ... > administrators group at the PC then it shows something like: ... > domain_name\Domain Admins ... so we add the user to the local Administrators ... (microsoft.public.windows.server.active_directory) Re: User rights ... This issue is with SBS automatically pulling the local user account into ... Will it still migrate that user up to SBS? ... are automatically Sharepoint Administrators. ... > to remove the Power Users group from the Sharepoint Administrators group. ... (microsoft.public.windows.server.sbs) Odd behaviour with user accounts (accounts "hidden") ... installation), dad and kids. ... "Administrators" group. ... As soon as I remove "kids" from the administrators group the account ... (microsoft.public.windowsxp.security_admin) Re: Confused ... Administrators group so they are administrators of the child domain, ... By default the Domain Admins of a domain are member of the ... (microsoft.public.win2000.active_directory)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2003-10