locked
You must be an administrator to use IIS Manager : Domain users RRS feed

  • Question

  • User819728879 posted

    Hi Team,

    Thanks for your support,

    We are in trouble with windows 10 IIS Manager, Basically our network is in Active Directory, And such of our domain users developers or testers wants to access local IIS Manager to test the websites, Whenever Domain user are trying to open IIS Manager, it is giving a message "You must be an administrator to use IIS Manager" However we cannot provide local administrator rights to domain user, it's company policy.

    Please help us to fix this issue.

    OS version - Windows 10 or 8 users

    IIS Version - 8.0

    User type - Domain user

    Regards,

    Himanshu Saral

     

    Wednesday, June 14, 2017 7:14 AM

All replies

  • User-460007017 posted

    Hi himanshu.saral,

    By default, IIS manager require the administrator permission? I wonder why do you want to grant permission for non-administrator user to access the IIS manager while it could be insecure to do this? Maybe you could try to run IIS manager as administrator.  In client OS, only windows 7 could set the IIS manager permission via IIS management service. So you could not create a non-administration environment with only IIS 8 IIS 10. In windows server, you could set the remote administration and IIS manager permission like:

    https://docs.microsoft.com/en-us/iis/manage/remote-administration/configuring-remote-administration-and-feature-delegation-in-iis-7

    https://blogs.technet.microsoft.com/leesab/2014/07/30/delegating-iis-administration-to-domain-users-non-administrators/

    So I think in windows 8/10, you could only add user to administrator group, otherwise, you may unable to access the IIS manager.

    Best Regards,

    Yuk Ding

    Wednesday, June 14, 2017 8:24 AM
  • User819728879 posted

    Hi Team,

    Thanks for your instant help.

    But we don''t want to give local administrator rights through run as to domain user, And as per your provided suggestion we are not able to set permission on iis for domain user.

    Can we have any script or solution to allow IIS manager to domain user without administrator rights ?

    Regards,

    Himanshu Saral

    Wednesday, June 14, 2017 8:35 AM
  • User-460007017 posted

    Hi himanshu.saral,

    No. I think it is unavailable to enable IIS manager without Administrator permission. The only solution is change windows client to  windows server and manage the IIS manager user with II management service.

    Best Regards,

    Yuk Ding

    Wednesday, June 14, 2017 9:06 AM
  • User-1122936508 posted

    Can we have any script or solution to allow IIS manager to domain user without administrator rights ?

    YOu can provide delegated access to manage web sites etc. without needing to provide local Administrator access to Windows.

    If they need to manage IIS server itself, then 99% of configuration is stored in applicationHost.config and administration.config in c:\windows\system32\inetsrv

    You could either provide access to the files, or give your deployment tools access to those files.

    Thursday, June 29, 2017 2:39 AM
  • User1893820870 posted

    I wonder why do you want to grant permission for non-administrator user to access the IIS manager while it could be insecure to do this?

    I dearly ask you to answer every item :

    1) Can you explain why could be insecure ?

    Companies/organizations must have the right to decide if doing something is danger or not for them, ponder and decide taking their own risks, but not to be limited by design/feature or Microsoft caprices (since is not explained).

    If humans wouldn't be allowed to do things because insecurities, then humanity would be in cavern age still, you couldn't go to work because highways are too dangerous, you couldn't marry because its to dangerous, should I continue. I write this with fury because Microsoft is always striving for making things difficult to users, instead of make them easier.

    2) It is well explained by "himanshu.saral," developers and testers need it, because is part of their work, like in my company and hundreds around the world, developers and testers sometimes have non-administratives privileges due to compliance needs like PCI, but still they need to manage their own IIS or cmd. We can't be restricted to ask infrastructure people to do this one, 2 or 3 times by day, we need to be efficient doing it by our own and sometimes you need it several times at day.

    3) I hope you escalate this comments to someone in Microsoft?

    Wednesday, April 24, 2019 3:57 PM
  • User690216013 posted

    1) Can you explain why could be insecure ?

    I assume typical IIS administrators/developers know that if a non-administrator user has full access to IIS Manager alone, can promote himself/herself as administrator. That's why IIS Manager must be used by an administrator explicitly.

    The remote administration via delegation listed in Yuk's answer, however, is not granting non-administrator users full access to IIS Manager, which minimizes their capabilities to acquire permissions they shouldn't have.

    IIS runs in the system session like other Windows services, but its design leads to all the relevant decisions. Microsoft won't be able to change such a big thing (If they could, we shouldn't have been discussing it right now).

    2) It is well explained by "himanshu.saral," developers and testers need it, because is part of their work, like in my company and hundreds around the world, developers and testers sometimes have non-administratives privileges due to compliance needs like PCI, but still they need to manage their own IIS or cmd.

    That's why IIS Express was created, and Microsoft exposed various IIS API so that your firm can build custom tools to help non-administrators to manage IIS when really needed. It is just IIS Manager that's not in the image. Many companies I know of, also grants developers/testers exceptions so that they can be administrators on their dev/test machines. If you want to be compliant, you have to bend efficiency (everybody hurts here).

    3) I hope you escalate this comments to someone in Microsoft?

    It has been escalated multiple times already so you shouldn't expect a new escalation can change much.

    Wednesday, April 24, 2019 5:19 PM