Announcement

Collapse
No announcement yet.

Let User View IIS Settings without Ability to Modify Them

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Let User View IIS Settings without Ability to Modify Them

    Hi all,
    - IIS 6 is running on the W2K Adv Ser.
    - Workgroup environment.
    - User TESTUSER is a member of Users and not the Administrators.
    - We want to be able to view the details of the sites, but not to be able to stop and start the sites and make any changes.

    Does anybody know how to make the Non-Administrator user to be able to view the IIS Settings without the ability to modify them?
    Or any workaround?

    We are trying to use the Taskpad, but no success because we are unable to view the sites.

  • #2
    You can use Metabase Explorer (IIS6 Resource Kit) to give a non-admin account access to view/alter IIS settings. Whether or not they'll have the right to alter the settings is utimately dependent on the rights you give them when configuring it. The following instructions are to give FULL ACCESS so tweak it as necessary for your needs (i.e. give Read Access where you see Full Control).

    IIS 6.0 Resource Kit Tools

    1) Download resource kit

    2) Open MBExplorer (by default installed at C:\Program Files\IIS Resources\Metabase Explorer\mbexplorer.exe)

    3) Log on as an Admin.

    4) Create a special local (or domain) group called WebAdmins and add appropriate non-Admin users to the group.

    5) Right click on the each of the following nodes, select permission and give the WebAdmins group Read Permissions.
    COMPUTERNAME (local) node
    LM node
    W3SVC node
    App Pools node
    Filters node
    Info node
    If the non-admin users will be administering the MSFTP service, repeat the above steps for approprate node and child nodes of this service.

    6) Add the WebAdmins group to the IIS_WPG local group.
    These steps granted the local WebAdmins group the necessary permissions to read the metabase. These above steps are appropriate for both Local groups and Domain groups.

    7) The following steps will grant a specific user permissions to administer a web site.

    Right click on the appropriate Web Site(s) node and select Permissions
    -- Grant the specific user FULL CONTROL
    -- If the new Web Admin will be required to create AppPools, right click on the AppPool node, select Permissions and grant either WRITE or FULL CONTROL (as appropriate) to the user -- If the new Web Admin will be required to control AppPools ***specific to the web site*** but not create new App Pools, right click on the appropriate App Pool and grant FULL CONTROL or WRITE as appropriate to the user.

    9) To enable a specific user to create new websites, right click on the W3SVC node and grant the specific user FULL CONTROL. If all members of the "WebAdmins" group require the ability to create new websites, the group can be granted FULL CONTROL rather than individual users.

    10) Before logging off, create a custom IIS Console and configure it to run in one of the user modes as follows:
    -- Start/Run and enter MMC
    -- Click on File then Add/Remove Snapins
    -- Click the Add button
    -- Select Internet Information Services from the list and Click Add, OK and OK.
    -- From the menu select File then Options
    -- In the Options window, select one of the User Modes from the drop down
    Console Mode list.
    -- Click File then Save As
    -- to save the custom MMC to the user's desktop, navigate to the "Documents and Settings" folder and click on the user's folder, then double-click on the user's Desktop folder.
    -- Enter the name you want the console to save as and display (i.e. IISAdmin or IIS_John)
    -- Save the MMC and Exit.

    11) Exit out of MBExplorer; log on as the new Web Admin and test.

    [Step-by-step instructions compliments of Yogita Manghnani]
    Andrew

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      What if we have IIS 5?

      Comment


      • #4
        Re: Let User View IIS Settings without Ability to Modify The

        Originally posted by vovan911
        - IIS 6 is running on the W2K Adv Ser.
        I guess I didn't notice that you mentioned W2K/IIS6. I got excited because I knew this worked with IIS6 and just started answering the question. FYI that OS/IIS combination isn't possible.

        Hmm.... Uh, I don't know if it works with IIS5 but you can try.
        Andrew

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment

        Working...
        X