Configuring 'website operator' in IIS 6.0

Important note: This is not supported by Microsoft, do this at your own risk.

Tool: Metabase Explorer from IIS 6.0 Resource Kit

Step 1: User Account Management
a) Create special user group for non local admin users. E.g. WebOperator
b) Place the desire users in this WebOperator user group.
c) Add WebOperator group to the IIS_WPG local group.

Step 2: Grant Basic Metabase Access
a) Run Metabase Explorer, right click COMPUTER node property, and select permissions.
b) Grant WebOperator group - READ permission.
c) Click on LM (Local Machine) node, right click, and select permissions.
d) Grant WebOperator group - READ permission
e) Click on W3SVC node, right click, and select permissions.
f) repeat step (b) and grant the permission.
g) Expand W3SVC node, repeat step (b) for App Pools, Filters and Info nodes.

Step 3: Grant Special User WebSite Access
a) Run Metabase Explorer, navigate to desire website node, and select permissions.
b) Grant the specific user account - FULL CONTROL permission.
c) Exit Metabase Explorer.

Note: If the user need to create new application or modify application pool configuration, grant the user FULL Control on the App Pool node.

Step 4: Create new customize IIS MMC
a) Click the Start menu, and then click Run. 
b) Type Mmc.exe and then click OK. 
c) In the MMC, click the File menu, then click Add/Remove Snap-in. 
d) Click Add, and then select the Internet Information Services snap-in. 
e) Click Add, click Close, and then click OK to return to the main MMC window. 
f) Click the File menu, then click Options, select any of the User modes, and then click OK.
h) Click the File menu, click Save, and enter a relevant name for the new IIS MMC.

Step 5: Testing
a) Login as the user, fire up the customize IIS MMC
b) Try to administrative the website which the user has granted FULL CONTROL.

Note: if you are experiencing 'Access Denied' related error messages, most likely are due to permission settings in the above steps. Re-login as local admin and verify your configuration.

Good luck !

Published Sun, May 8 2005 14:46 by bernard
Filed under: ,

Comments

# TrackBack said on 11 May, 2005 10:59 AM
IIS-Resources.com
# TrackBack said on 23 May, 2005 10:35 PM
Configuring 'website operator' in IIS 6.0ooeess
# bernard said on 03 June, 2005 05:24 AM
Cant get this to work

Local groups cannot be added to the iis_wpg group so i create a global group in AD.

When adding permissions to lower level nodes you get the message that permission are inherited. Copy of Clear? If they realy are inherited allowing the group full controll at the top level node should do the trick, right?
# bernard said on 09 June, 2005 06:46 PM
Hi Mike,
If you are in a domain, then of coz you need to use global group. As for the permissions, you can assign user/group at higher node and let the permissions get inherited for those child nodes.
# bernard said on 14 July, 2005 07:16 AM
I have IIS 6 on a server joint to a domain - I am trying to add a user to operate a web site but doesn't do anything - Any special steps that I have to do to make it work or just remove it from the domain.

Thanks
# bernard said on 14 July, 2005 01:30 PM
Hi Joshua,

Nothing special, you can either use local or domain user. Assuming IIS is a a member server, you can add in those domain user to the WebOperator group.
# bernard said on 22 November, 2005 11:13 PM
Actually, you can add local groups to the IIS_WPG group. For some reason it will not let you add local groups to local groups in the GUI. If you go to the command prompt and type
'net localgroup "IIS_WPG" "TheLocalgrouptoAdd" /add'
It will add the localgroup to the IIS_WPG group.

Any questions just email me.
# Rob said on 28 December, 2005 11:25 AM
Attempting to implement your workaround to allow a non local box admin to administer IIS 6.

All appears to work except step 3. When a user who is a member of the appropriate group logs in the the server, and runs the custom IIS admin, they can see the app pools, and web service extensions, but nothing is visible in web sites.

I have verified via Metabase Explorer that the group they are in has Full Control to the individual sites under W3SVC and that the permission is present at all sub keys.

On your suggestion I tried again with Regmon and Filemon running in the background. Absolutely nothing in Filemon, and no "Access Denied" in Regmon, though several "Not Found."

I welcome any additional insight.
# bernard said on 28 December, 2005 07:59 PM
Hi Rob,

Did the user has READ permission on the W3SVC node? step 2e ??
Since you are able to sort out app pool and web service extensions node, this looks like just a permission issue on w3svc node.
# Rob said on 03 January, 2006 02:32 PM
Bernard,

In my case, I had to grant Full on the LM node in order for the user to see the Web Sites. Once that was done, all other permissions could be set as Read, or as otherwise desired.

Thanks!
# bernard said on 03 January, 2006 10:47 PM
Great! but i'm still curious on why can't you grant READ at the first place ? I mean at the w3svc node and granting full control at LM node could introduce hidden risks, and if you forgot to further lock down the sub nodes, the user will be able to manipulate all the metabase keys under the node.
# Dave said on 09 January, 2006 01:40 PM
I believe that I have the permssions correct in Metabase Explorer. However once in the MMC Snap-in the Web Sites fail to come up unless I am an administrator. Any thoughts?
# qbernard said on 11 January, 2006 03:35 AM
Hi Dave,
It sounds like permissions issue. if you can managed IIS as and administrator but you can't with the custom user - meaning he/she doesn't has required priviliges to manage IIS. So I would suggest you verify you configuration again.
# MAXIMEP said on 16 June, 2006 03:02 PM
Hello
I have the same problem.
Hall was correctly configured, AND WORKS, until I install SP1 on the server.
Now I have Acces Denied when I connect remotely, But works fine localy.

Any Ideas ???

Thanks
# qbernard said on 16 June, 2006 11:49 PM
Mm.. sp1. interesting. I have not tested it with SP1 yet. You might want to get filemon / regmon from sysinternals.com to trace the access denied.
# Dimitri said on 01 August, 2006 11:52 AM
Please test this with SP1, it doesn't work properly.
You have to give Full Control to the LM level to see websites, then you see the websites. Still, if you have Full Control on a certain website, you can for example create a virtual directory, but you can never delete it. Also when you request the properties you get an "Access Denied" popup, but you can still see and change properties after that. Anyone know how to get this working properly ?
# williambeyond said on 22 August, 2006 09:22 PM
I have the same problem too! My server WinServer2003 R2 have SP1 on,
I have gave Full control to every node, but when I try to connect to the server remotely via IIS Manager, it just fail with "You have been denied access to this machine"

I have it working before without SP1 on a window2003 NT server.

any help?
# qbernard said on 22 August, 2006 09:29 PM
SP1 or even R2 has new security restriction. I have no time to test it yet. So it could due to the new restriction that this workaround is not working.
# williambeyond said on 25 August, 2006 12:32 AM
hm... then I will have to create a utility similar to IIS Manager but allows non-server-admin users to be able to administrate IIS,

is there any reference/example/.NET API I can follow?
# qbernard said on 25 August, 2006 02:49 AM
Hi William,
Glad to know you are developing the utility. While I don't know the exact API, but generally you can use the WMI, ADSI interfaces to manage IIS. Some example here
http://www.microsoft.com/technet/scriptcenter/scripts/iis/iis6/default.mspx

for .net you can use system.directoryservices
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/cd63ff7d-f84b-4a1a-8c87-2a72fcf33402.asp

bare in mind that no matter what interface you use, the account need to have permissions on the metabase.
# aimperial said on 06 September, 2006 06:31 PM
Need to know if someone make it work over 2003 with SP1 ,cause all i got is acces denied i have review a lot of time the permission and simple doesnt work tanx
# qbernard said on 06 September, 2006 09:47 PM

That could be it with new changes in SP1, like component services security enhancement,etc. I have seen many users claimed that this workaround can't be applied to w2k3 sp1.

News

Search

Go

This Blog

Tags

Archives

IIS Sites

MVPs - MVPs

IIS Related

Syndication