User Rights Assignment Iis

One of the new features with IIS 7 is Feature Delegation.  This allows you to delegate management of IIS to domain users (non-administrators).  This document has very detailed information on Feature Delegation and should be reviewed first.  I was asked how to do this for a domain group, so this article has a few differences in screens shots. 

Feature delegation has four parts. 

  • Enable Remote Connections through Management service.
  • Adding the AD user(s)/group(s) to the separate sites listed in IIS, using IIS Manager Permissions
  • Delegating the IIS features to the above users to be able to use, this is set using feature Delegation.   
  • Connecting to IIS as a non-administrator

 

Enabling Remote connections

Load IIS manager.


Double click Management service on bottom right


Click Enable Remote Connections.


Click Windows Credentials Only.

 

Click Apply then Click Start


Adding users to allow delegation

Click on the first Web site you wish to assign delegation to under sites then on the right double click IIS Manager Permissions.


Then on the right click Allow User on the right.


 

In the Pop Up windows for Allow User: enter Contoso\app admins then click OK.

Repeat for each site listed that you would like to allow IIS delegation of.


 

 

Delegating the features you would like to delegate and the rights for each delegation.

From the IIS home page double click feature Delegation

 

From within Feature Delegation Click Authentication - Windows then on the right click Read/Write

Repeat feature delegation for Logging and SSL Settings and any other features you would like to delegateWhen done the screen should look similar to the above image. You are now done with delegation

Repeat feature delegation for Logging and SSL Settings and any other features you would like to delegateWhen done the screen should look similar to the above image. You are now done with delegation

 You may now log access IIS with credentials that you delegated above.

 

Connecting to IIS as a non-administrator

Log onto the server as a non-administrator. Load  IIS Manager.

Right click on Start Page then click Connect to a Site.


Enter the Server Name and Site Name then click next.

 

Enter the Appropriate User Name and Password then click Next

Click Next on the Specify a Connection Name then click Finish. You will now see you connection to that site.

Repeat for any additions sites on this server that you would like to connect to.

Note: You cannot manage any of the Application pools. So here is the next blog: How to use Web Deploy for administration of Application Pools by Non Administrators


Anonymous access, the most common web site access control method, allows anyone to visit the public areas of a website while preventing unauthorized users from gaining access to a web server's critical administrative features and private information. Anonymous authentication gives users access to a website without prompting them for a user name or password. When a user attempts to connect to a public website, the web server assigns the user to the Windows user account called IUSR_computername, where computername is the name of the server on which IIS is running.

By default, the IUSR_computername account is included in the Windows user group Guests when IIS is installed on the server. This group has security restrictions, imposed by NTFS permissions, that designate the level of access and the type of content available to public internet users. Changes can be made to the account used for Anonymous authentication in the Internet Service Manager at the web server level or for individual virtual directories and files. Security privileges for the IUSR_computername account can be changed with User Manager for Windows NT, and Local Users and Groups in the Computer Management console for Windows 2000.

IIS uses the IUSR_computername account in the following way:

0 comments

Leave a Reply

Your email address will not be published. Required fields are marked *