3

I'd like to allow one of our developers the ability to remotely administer IIS7 on our Windows 2008 box using the IIS manager. This is not to manage an individual site, but IIS in general.

I can connect to it remotely if I log in with a domain admin account, but I can't otherwise get this to work.

Is remote IIS admin is only possible with a local or domain admin account? If not, what is the least amount of privileges required for remote admin?

Thanks.

ScottE
  • 90
  • 1
  • 10

3 Answers3

1

The easiest way would be to make the user a local admin on that server.

Also, this link describes using the Metabase Explorer tool to grant rights to all of IIS without Admin rights to the server at large

gWaldo
  • 11,957
  • 8
  • 42
  • 69
  • Thanks. This says IIS6 and IIS7/7.5 on the same page. Which one is it? – ScottE Oct 18 '10 at 13:17
  • That means it'll work for either/any of them. – gWaldo Oct 18 '10 at 13:55
  • So you're saying it's exactly the same for IIS7? The title says "Configuring 'website operator' in IIS 6.0" and the link is for the IIS6 metabase editing tool. – ScottE Oct 18 '10 at 18:15
  • I'm sorry, I didn't go back and look at it; I assumed from what you said that the solution 'was for iis6 and 7/7.5"; That wes my misunderstanding. Metabase Explorer is part of the IIS Administration Pak, and you should download the version that corresponds to the version of IIS that you're using. The steps in the tutorial should be largely compatible. – gWaldo Oct 18 '10 at 18:31
  • Can you confirm that you've done this on IIS7? Otherwise, I don't think this is worth the effort in trying. The security model is completely different. – ScottE Oct 18 '10 at 18:37
  • I'm sorry, but I don't have a machine that I can test on for you at this gig. If you're uncomfortable with this, you're probably stuck with making the user an Admin on the web server, Delegation, or possibly browsing the Local Security Policy for IIS-specific rights and granting that way. I'm sorry I can't be more help... – gWaldo Oct 18 '10 at 19:13
0

Delegate permissions to the user within IIS, this can be achieved by clicking at the root of the site level from within IIS and navigate down to management service. Make sure this user has local access on the server.

See http://learn.iis.net/page.aspx/155/an-overview-of-feature-delegation-in-iis-70/#03 for the full detail.

Nick O'Neil
  • 1,771
  • 11
  • 10
  • 1
    I have the management service enabled and running. It's accepting windows credentials only. I think there's more to it than this. – ScottE Oct 14 '10 at 19:29
0

Yes, I believe you can by using delegation. IIS7 Delegation

Mitch
  • 1,147
  • 11
  • 20
  • Please explain how this can be used on a global basis - ie the ability to set up new sites. – ScottE Oct 14 '10 at 19:33