Grant Users Permissions to Modify IIS without Having Full Admi

Grant Users Permissions to Modify IIS without Having Full Admi

Post by QmVyb » Thu, 03 Aug 2006 00:18:01


Thanks. I'll check out IIS 7 and see if I can find any info on this.
 
 
 

Grant Users Permissions to Modify IIS without Having Full Admi

Post by QmVyb » Thu, 03 Aug 2006 00:23:01

Actually I took a look at it and the node shows up for the server, but is it
saying to create the webadmins account outside of this tool and then grant
access. I know what we need to do sounds strange, but do you know of a way
to allow developers to modify IIS without having to have full blown SA rights
and without having to call the SA's to make the change.

 
 
 

Grant Users Permissions to Modify IIS without Having Full Admi

Post by David Wang » Thu, 03 Aug 2006 10:47:24

http://www.yqcomputer.com/

--
//David
IIS
http://www.yqcomputer.com/
This posting is provided "AS IS" with no warranties, and confers no rights.
//
 
 
 

Grant Users Permissions to Modify IIS without Having Full Admi

Post by QmVyb » Thu, 03 Aug 2006 19:53:01

Thanks so much for the information.
 
 
 

Grant Users Permissions to Modify IIS without Having Full Admi

Post by QmVyb » Sat, 19 Aug 2006 03:31:07

Thanks so much for the link and the info JJ. This should help me out.
 
 
 

Grant Users Permissions to Modify IIS without Having Full Admi

Post by Sko » Sat, 19 Aug 2006 04:36:54

I am trying to do the same thing for my web developers (actually application
developers) and I will let you know if I get it working.
I have also had to setup special rights for them to stop and restart
services and actually install services by using Group Policy.
JJ
 
 
 

Grant Users Permissions to Modify IIS without Having Full Admi

Post by Sko » Sun, 20 Aug 2006 00:33:06

So I "think" I got this to work. I created a local group on the box, added a
domain group (with the web developer domain accounts in it) in to that local
group , then gave the local group full control over everything in the
metabase. I also gave them permissions for the web extensions and app pools
in metabase.

Unfortunately, you can't just set it at the top and tell it to propagate
down, you actually have to set each folder in the tree.

I also had to launch IIS and make sure that the local group had permissions
on each web site that they needed to access.

This will allow my developers to update the sites.

I also gave them full control of the webfolders that they are admins of so
that they can update web content.
Full control of the Inetpub,system32\ Inetserv, microsoft.net and read
access to the IIS logs folder (wherever they've directed them).

The file permissions I have set by GPO (since I have about 8 web servers
that have the load-balanced web site on it) I am looking at copying the
metabase setup by GPO also, so that I can set it on one server, copy the
metabase and then deploy that by GPO.

My developers also created special services for this box and a special event
viewer, so I had to give them permissions to stop, start and delete those
services (along with start/stop for the WWW service) and the ability to clear
that special event log. If you need this info too, let me know and I can post
it.
Good Luck!

Jill