Configuring 'website operator' in IIS 6.0

Important note: This is not supported by Microsoft, do this at your own risk.

Tool: Metabase Explorer from IIS 6.0 Resource Kit

Step 1: User Account Management
a) Create special user group for non local admin users. E.g. WebOperator
b) Place the desire users in this WebOperator user group.
c) Add WebOperator group to the IIS_WPG local group.

Step 2: Grant Basic Metabase Access
a) Run Metabase Explorer, right click COMPUTER node property, and select permissions.
b) Grant WebOperator group - READ permission.
c) Click on LM (Local Machine) node, right click, and select permissions.
d) Grant WebOperator group - READ permission
e) Click on W3SVC node, right click, and select permissions.
f) repeat step (b) and grant the permission.
g) Expand W3SVC node, repeat step (b) for App Pools, Filters and Info nodes.

Step 3: Grant Special User WebSite Access
a) Run Metabase Explorer, navigate to desire website node, and select permissions.
b) Grant the specific user account - FULL CONTROL permission.
c) Exit Metabase Explorer.

Note: If the user need to create new application or modify application pool configuration, grant the user FULL Control on the App Pool node.

Step 4: Create new customize IIS MMC
a) Click the Start menu, and then click Run. 
b) Type Mmc.exe and then click OK. 
c) In the MMC, click the File menu, then click Add/Remove Snap-in. 
d) Click Add, and then select the Internet Information Services snap-in. 
e) Click Add, click Close, and then click OK to return to the main MMC window. 
f) Click the File menu, then click Options, select any of the User modes, and then click OK.
h) Click the File menu, click Save, and enter a relevant name for the new IIS MMC.

Step 5: Testing
a) Login as the user, fire up the customize IIS MMC
b) Try to administrative the website which the user has granted FULL CONTROL.

Note: if you are experiencing 'Access Denied' related error messages, most likely are due to permission settings in the above steps. Re-login as local admin and verify your configuration.

Good luck !

Published Sunday, May 08, 2005 2:46 PM by bernard
Filed under: ,

Comments

# IIS-Resources.com

Wednesday, May 11, 2005 10:59 AM by TrackBack

IIS-Resources.com

# re:Configuring 'website operator' in IIS 6.0

Monday, May 23, 2005 10:35 PM by TrackBack

Configuring 'website operator' in IIS 6.0ooeess

# re: Configuring 'website operator' in IIS 6.0

Friday, June 03, 2005 5:24 AM by bernard

Cant get this to work

Local groups cannot be added to the iis_wpg group so i create a global group in AD.

When adding permissions to lower level nodes you get the message that permission are inherited. Copy of Clear? If they realy are inherited allowing the group full controll at the top level node should do the trick, right?

# re: Configuring 'website operator' in IIS 6.0

Thursday, June 09, 2005 6:46 PM by bernard

Hi Mike,
If you are in a domain, then of coz you need to use global group. As for the permissions, you can assign user/group at higher node and let the permissions get inherited for those child nodes.

# re: Configuring 'website operator' in IIS 6.0

Thursday, July 14, 2005 7:16 AM by bernard

I have IIS 6 on a server joint to a domain - I am trying to add a user to operate a web site but doesn't do anything - Any special steps that I have to do to make it work or just remove it from the domain.

Thanks

# re: Configuring 'website operator' in IIS 6.0

Thursday, July 14, 2005 1:30 PM by bernard

Hi Joshua,

Nothing special, you can either use local or domain user. Assuming IIS is a a member server, you can add in those domain user to the WebOperator group.

# re: Configuring 'website operator' in IIS 6.0

Tuesday, November 22, 2005 11:13 PM by bernard

Actually, you can add local groups to the IIS_WPG group. For some reason it will not let you add local groups to local groups in the GUI. If you go to the command prompt and type
'net localgroup "IIS_WPG" "TheLocalgrouptoAdd" /add'
It will add the localgroup to the IIS_WPG group.

Any questions just email me.

# re: Configuring 'website operator' in IIS 6.0

Wednesday, December 28, 2005 11:25 AM by Rob

Attempting to implement your workaround to allow a non local box admin to administer IIS 6.

All appears to work except step 3. When a user who is a member of the appropriate group logs in the the server, and runs the custom IIS admin, they can see the app pools, and web service extensions, but nothing is visible in web sites.

I have verified via Metabase Explorer that the group they are in has Full Control to the individual sites under W3SVC and that the permission is present at all sub keys.

On your suggestion I tried again with Regmon and Filemon running in the background. Absolutely nothing in Filemon, and no "Access Denied" in Regmon, though several "Not Found."

I welcome any additional insight.

# re: Configuring 'website operator' in IIS 6.0

Wednesday, December 28, 2005 7:59 PM by bernard

Hi Rob,

Did the user has READ permission on the W3SVC node? step 2e ??
Since you are able to sort out app pool and web service extensions node, this looks like just a permission issue on w3svc node.

# re: Configuring 'website operator' in IIS 6.0

Tuesday, January 03, 2006 2:32 PM by Rob

Bernard,

In my case, I had to grant Full on the LM node in order for the user to see the Web Sites. Once that was done, all other permissions could be set as Read, or as otherwise desired.

Thanks!

# re: Configuring 'website operator' in IIS 6.0

Tuesday, January 03, 2006 10:47 PM by bernard

Great! but i'm still curious on why can't you grant READ at the first place ? I mean at the w3svc node and granting full control at LM node could introduce hidden risks, and if you forgot to further lock down the sub nodes, the user will be able to manipulate all the metabase keys under the node.

# re: Configuring 'website operator' in IIS 6.0

Monday, January 09, 2006 1:40 PM by Dave

I believe that I have the permssions correct in Metabase Explorer. However once in the MMC Snap-in the Web Sites fail to come up unless I am an administrator. Any thoughts?

# re: Configuring 'website operator' in IIS 6.0

Wednesday, January 11, 2006 3:35 AM by qbernard

Hi Dave,
It sounds like permissions issue. if you can managed IIS as and administrator but you can't with the custom user - meaning he/she doesn't has required priviliges to manage IIS. So I would suggest you verify you configuration again.

# re: Configuring 'website operator' in IIS 6.0

Friday, June 16, 2006 3:02 PM by MAXIMEP

Hello
I have the same problem.
Hall was correctly configured, AND WORKS, until I install SP1 on the server.
Now I have Acces Denied when I connect remotely, But works fine localy.

Any Ideas ???

Thanks

# re: Configuring 'website operator' in IIS 6.0

Friday, June 16, 2006 11:49 PM by qbernard

Mm.. sp1. interesting. I have not tested it with SP1 yet. You might want to get filemon / regmon from sysinternals.com to trace the access denied.

# re: Configuring 'website operator' in IIS 6.0

Tuesday, August 01, 2006 11:52 AM by Dimitri

Please test this with SP1, it doesn't work properly.
You have to give Full Control to the LM level to see websites, then you see the websites. Still, if you have Full Control on a certain website, you can for example create a virtual directory, but you can never delete it. Also when you request the properties you get an "Access Denied" popup, but you can still see and change properties after that. Anyone know how to get this working properly ?

# re: Configuring 'website operator' in IIS 6.0

Tuesday, August 22, 2006 9:22 PM by williambeyond

I have the same problem too! My server WinServer2003 R2 have SP1 on,
I have gave Full control to every node, but when I try to connect to the server remotely via IIS Manager, it just fail with "You have been denied access to this machine"

I have it working before without SP1 on a window2003 NT server.

any help?

# re: Configuring 'website operator' in IIS 6.0

Tuesday, August 22, 2006 9:29 PM by qbernard

SP1 or even R2 has new security restriction. I have no time to test it yet. So it could due to the new restriction that this workaround is not working.

# re: Configuring 'website operator' in IIS 6.0

Friday, August 25, 2006 12:32 AM by williambeyond

hm... then I will have to create a utility similar to IIS Manager but allows non-server-admin users to be able to administrate IIS,

is there any reference/example/.NET API I can follow?

# re: Configuring 'website operator' in IIS 6.0

Friday, August 25, 2006 2:49 AM by qbernard

Hi William,
Glad to know you are developing the utility. While I don't know the exact API, but generally you can use the WMI, ADSI interfaces to manage IIS. Some example here
http://www.microsoft.com/technet/scriptcenter/scripts/iis/iis6/default.mspx

for .net you can use system.directoryservices
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/cd63ff7d-f84b-4a1a-8c87-2a72fcf33402.asp

bare in mind that no matter what interface you use, the account need to have permissions on the metabase.

# re: Configuring 'website operator' in IIS 6.0

Wednesday, September 06, 2006 6:31 PM by aimperial

Need to know if someone make it work over 2003 with SP1 ,cause all i got is acces denied i have review a lot of time the permission and simple doesnt work tanx

# re: Configuring 'website operator' in IIS 6.0

Wednesday, September 06, 2006 9:47 PM by qbernard

That could be it with new changes in SP1, like component services security enhancement,etc. I have seen many users claimed that this workaround can't be applied to w2k3 sp1.