locked
non-Admin IIS rights RRS feed

  • Question

  • User545366989 posted

    I'm trying to configure my IIS 7.5 server to allow non-Admin users with local Windows accounts to manage some aspects of the IIS server. I would like to allow them the ability to stop/start sites/application pools without giving them full-Admin rights, is this possible?

    So far I've enabled the Management Service using Windows credentials. Then added a group I created earlier into IIS Manager Permissions for each site that I would like them to have access to. When I log onto the box as them and open IIS Manager, I don't see anything and have to add the sites individually, not a huge deal, but if there is a better way...please point me in the right direction. At this stage, I don't see the application pools that are associated with the sites and I see no way to stop the site.

     Any help would be appreciated, as I really don't want to make these users full-Admins on the local box.

     Thanks,

    -DarkSide

    Wednesday, October 6, 2010 12:19 PM

Answers

  • User-47214744 posted

    There is no way to delegate full administrator privileges without letting them be administrators, however most of the tasks that any developers would need in their day to day should be possible. In my mind those include:

    1) Create new Applications on their site

    2) Recycle their application pool

    3) Change any settings delegated (this could include every setting in IIS other than bindings and similar machine-impactful settings), so things like authentication, authorization, caching, mime types, default document, etc, can all be delegated for them to change.

    4) Deploy content, including the ability to add things to the GAC, COM, Files, etc.

    All of these are possible by using IIS Manager and Web Deploy, see for some examples:

    http://blogs.iis.net/krolson/archive/2009/11/12/delegate-application-creation-for-non-admininistrator-accounts.aspx

    http://learn.iis.net/page.aspx/516/configure-the-web-deployment-handler/

    Are there other tasks that you think would be required for your scenario to work?

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, October 7, 2010 12:53 PM

All replies

  • User1073881637 posted

    Not sure you can do this without be in an admin.  

    Wednesday, October 6, 2010 9:01 PM
  • User545366989 posted

     bummer. thoughts/comments on how others allow developers access without full-admin rights? i've allowed modify rights to the webroot directories and the servers reside on our own production networks, so they can' copy files directly to the server if they so desire (i'm trying my hardest to get them to use our SVN repo for deploys). anyway, all ideas welcome.

     TIA,

    -DarkSide

    Thursday, October 7, 2010 7:32 AM
  • User-47214744 posted

    There is no way to delegate full administrator privileges without letting them be administrators, however most of the tasks that any developers would need in their day to day should be possible. In my mind those include:

    1) Create new Applications on their site

    2) Recycle their application pool

    3) Change any settings delegated (this could include every setting in IIS other than bindings and similar machine-impactful settings), so things like authentication, authorization, caching, mime types, default document, etc, can all be delegated for them to change.

    4) Deploy content, including the ability to add things to the GAC, COM, Files, etc.

    All of these are possible by using IIS Manager and Web Deploy, see for some examples:

    http://blogs.iis.net/krolson/archive/2009/11/12/delegate-application-creation-for-non-admininistrator-accounts.aspx

    http://learn.iis.net/page.aspx/516/configure-the-web-deployment-handler/

    Are there other tasks that you think would be required for your scenario to work?

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, October 7, 2010 12:53 PM