Configuring 'website operator' in IIS 6.0

re: Configuring 'website operator' in IIS 6.0

qbernard — Thu, 07 Sep 2006 02:47:07 GMT

That could be it with new changes in SP1, like component services security enhancement,etc. I have seen many users claimed that this workaround can't be applied to w2k3 sp1.

re: Configuring 'website operator' in IIS 6.0

aimperial — Wed, 06 Sep 2006 23:31:47 GMT

Need to know if someone make it work over 2003 with SP1 ,cause all i got is acces denied i have review a lot of time the permission and simple doesnt work tanx

re: Configuring 'website operator' in IIS 6.0

qbernard — Fri, 25 Aug 2006 07:49:18 GMT

Hi William,
Glad to know you are developing the utility. While I don't know the exact API, but generally you can use the WMI, ADSI interfaces to manage IIS. Some example here
http://www.microsoft.com/technet/scriptcenter/scripts/iis/iis6/default.mspx

for .net you can use system.directoryservices
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/cd63ff7d-f84b-4a1a-8c87-2a72fcf33402.asp

bare in mind that no matter what interface you use, the account need to have permissions on the metabase.

re: Configuring 'website operator' in IIS 6.0

williambeyond — Fri, 25 Aug 2006 05:32:16 GMT

hm... then I will have to create a utility similar to IIS Manager but allows non-server-admin users to be able to administrate IIS,

is there any reference/example/.NET API I can follow?

re: Configuring 'website operator' in IIS 6.0

qbernard — Wed, 23 Aug 2006 02:29:33 GMT

SP1 or even R2 has new security restriction. I have no time to test it yet. So it could due to the new restriction that this workaround is not working.

re: Configuring 'website operator' in IIS 6.0

williambeyond — Wed, 23 Aug 2006 02:22:19 GMT

I have the same problem too! My server WinServer2003 R2 have SP1 on,
I have gave Full control to every node, but when I try to connect to the server remotely via IIS Manager, it just fail with "You have been denied access to this machine"

I have it working before without SP1 on a window2003 NT server.

any help?

re: Configuring 'website operator' in IIS 6.0

Dimitri — Tue, 01 Aug 2006 16:52:37 GMT

Please test this with SP1, it doesn't work properly.
You have to give Full Control to the LM level to see websites, then you see the websites. Still, if you have Full Control on a certain website, you can for example create a virtual directory, but you can never delete it. Also when you request the properties you get an "Access Denied" popup, but you can still see and change properties after that. Anyone know how to get this working properly ?

re: Configuring 'website operator' in IIS 6.0

qbernard — Sat, 17 Jun 2006 04:49:21 GMT

Mm.. sp1. interesting. I have not tested it with SP1 yet. You might want to get filemon / regmon from sysinternals.com to trace the access denied.

re: Configuring 'website operator' in IIS 6.0

MAXIMEP — Fri, 16 Jun 2006 20:02:59 GMT

Hello
I have the same problem.
Hall was correctly configured, AND WORKS, until I install SP1 on the server.
Now I have Acces Denied when I connect remotely, But works fine localy.

Any Ideas ???

Thanks

re: Configuring 'website operator' in IIS 6.0

qbernard — Wed, 11 Jan 2006 09:35:34 GMT

Hi Dave,
It sounds like permissions issue. if you can managed IIS as and administrator but you can't with the custom user - meaning he/she doesn't has required priviliges to manage IIS. So I would suggest you verify you configuration again.

re: Configuring 'website operator' in IIS 6.0

Dave — Mon, 09 Jan 2006 19:40:27 GMT

I believe that I have the permssions correct in Metabase Explorer. However once in the MMC Snap-in the Web Sites fail to come up unless I am an administrator. Any thoughts?

re: Configuring 'website operator' in IIS 6.0

bernard — Wed, 04 Jan 2006 04:47:52 GMT

Great! but i'm still curious on why can't you grant READ at the first place ? I mean at the w3svc node and granting full control at LM node could introduce hidden risks, and if you forgot to further lock down the sub nodes, the user will be able to manipulate all the metabase keys under the node.

re: Configuring 'website operator' in IIS 6.0

Rob — Tue, 03 Jan 2006 20:32:15 GMT

Bernard,

In my case, I had to grant Full on the LM node in order for the user to see the Web Sites. Once that was done, all other permissions could be set as Read, or as otherwise desired.

Thanks!

re: Configuring 'website operator' in IIS 6.0

bernard — Thu, 29 Dec 2005 01:59:45 GMT

Hi Rob,

Did the user has READ permission on the W3SVC node? step 2e ??
Since you are able to sort out app pool and web service extensions node, this looks like just a permission issue on w3svc node.

re: Configuring 'website operator' in IIS 6.0

Rob — Wed, 28 Dec 2005 17:25:15 GMT

Attempting to implement your workaround to allow a non local box admin to administer IIS 6.

All appears to work except step 3. When a user who is a member of the appropriate group logs in the the server, and runs the custom IIS admin, they can see the app pools, and web service extensions, but nothing is visible in web sites.

I have verified via Metabase Explorer that the group they are in has Full Control to the individual sites under W3SVC and that the permission is present at all sub keys.

On your suggestion I tried again with Regmon and Filemon running in the background. Absolutely nothing in Filemon, and no "Access Denied" in Regmon, though several "Not Found."

I welcome any additional insight.

re: Configuring 'website operator' in IIS 6.0

bernard — Wed, 23 Nov 2005 05:13:00 GMT

Actually, you can add local groups to the IIS_WPG group. For some reason it will not let you add local groups to local groups in the GUI. If you go to the command prompt and type
'net localgroup "IIS_WPG" "TheLocalgrouptoAdd" /add'
It will add the localgroup to the IIS_WPG group.

Any questions just email me.

re: Configuring 'website operator' in IIS 6.0

bernard — Thu, 14 Jul 2005 18:30:00 GMT

Hi Joshua,

Nothing special, you can either use local or domain user. Assuming IIS is a a member server, you can add in those domain user to the WebOperator group.

re: Configuring 'website operator' in IIS 6.0

bernard — Thu, 14 Jul 2005 12:16:00 GMT

I have IIS 6 on a server joint to a domain - I am trying to add a user to operate a web site but doesn't do anything - Any special steps that I have to do to make it work or just remove it from the domain.

Thanks

re: Configuring 'website operator' in IIS 6.0

bernard — Thu, 09 Jun 2005 23:46:00 GMT

Hi Mike,
If you are in a domain, then of coz you need to use global group. As for the permissions, you can assign user/group at higher node and let the permissions get inherited for those child nodes.

re: Configuring 'website operator' in IIS 6.0

bernard — Fri, 03 Jun 2005 10:24:00 GMT

Cant get this to work

Local groups cannot be added to the iis_wpg group so i create a global group in AD.

When adding permissions to lower level nodes you get the message that permission are inherited. Copy of Clear? If they realy are inherited allowing the group full controll at the top level node should do the trick, right?