IIS rights without being administrator

Hi,

I'm stumped with an issue at work. I am trying to
provide some of web/apps developers I work with the ability to
create virtual directories and other IIS options
without actually including them in the administrator
group. I've tried everything from group policies to
local account options.

Nevertheless, when the app developers or
the web developers log into the box remotely, they can bring up the
MMC with the IIS Admin snap-in, but, when they expand it to, they are
told they do not have sufficient rights and a dialog box appears
essentially asking them to login as a local or domain admin; neither
of which I can do without violating our security policy.

I'm certain that other organizations must keep developers rights and
sys admin rights separate, and thus, there must be a work around to
provide them with the ability to use the IIS management tool and not
give them overly elevated privileges.

Is there anything I'm missing? Any help would be much
appreciated.

Re: IIS rights without being administrator

"Jake Banzai" wrote in message
news:kv9ah1t71luql0c3j1le2qfl6psblbqvg5@4ax.com...
> Hi,
>
> I'm stumped with an issue at work. I am trying to
> provide some of web/apps developers I work with the ability to
> create virtual directories and other IIS options
> without actually including them in the administrator
> group. I've tried everything from group policies to
> local account options.
>
> Nevertheless, when the app developers or
> the web developers log into the box remotely, they can bring up the
> MMC with the IIS Admin snap-in, but, when they expand it to, they are
> told they do not have sufficient rights and a dialog box appears
> essentially asking them to login as a local or domain admin; neither
> of which I can do without violating our security policy.
>
> I'm certain that other organizations must keep developers rights and
> sys admin rights separate, and thus, there must be a work around to
> provide them with the ability to use the IIS management tool and not
> give them overly elevated privileges.
>
> Is there anything I'm missing? Any help would be much
> appreciated.

Unfortunatley, you must be an admin to create virtual directories.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;2989 69

In my org we do keep dev and sys admin rights seperate - the devs must get
the sys admin to create the virtual directories.

--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsserver2003/community/centers /iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS

Re: IIS rights without being administrator

Withour using IIS, can you designate special folders off the web and
then web share them. Then make those foldeers as asahres and give
(windows) folder permissions to the persons to add or change content to
those folders. Keep these folders on D: drive (not the IIS drive).

Jake Banzai wrote:

> Hi,
>
> I'm stumped with an issue at work. I am trying to
> provide some of web/apps developers I work with the ability to
> create virtual directories and other IIS options
> without actually including them in the administrator
> group. I've tried everything from group policies to
> local account options.
>
> Nevertheless, when the app developers or
> the web developers log into the box remotely, they can bring up the
> MMC with the IIS Admin snap-in, but, when they expand it to, they are
> told they do not have sufficient rights and a dialog box appears
> essentially asking them to login as a local or domain admin; neither
> of which I can do without violating our security policy.
>
> I'm certain that other organizations must keep developers rights and
> sys admin rights separate, and thus, there must be a work around to
> provide them with the ability to use the IIS management tool and not
> give them overly elevated privileges.
>
> Is there anything I'm missing? Any help would be much
> appreciated.
>

Re: IIS rights without being administrator

Thanks for the help, thats the info I needed. Thanks again.

On Wed, 31 Aug 2005 09:08:12 -0400, "Tom Kaminski [MVP]" mvps (D.O.T) org> wrote:

>"Jake Banzai" wrote in message
>news:kv9ah1t71luql0c3j1le2qfl6psblbqvg5@4ax.com...
>> Hi,
>>
>> I'm stumped with an issue at work. I am trying to
>> provide some of web/apps developers I work with the ability to
>> create virtual directories and other IIS options
>> without actually including them in the administrator
>> group. I've tried everything from group policies to
>> local account options.
>>
>> Nevertheless, when the app developers or
>> the web developers log into the box remotely, they can bring up the
>> MMC with the IIS Admin snap-in, but, when they expand it to, they are
>> told they do not have sufficient rights and a dialog box appears
>> essentially asking them to login as a local or domain admin; neither
>> of which I can do without violating our security policy.
>>
>> I'm certain that other organizations must keep developers rights and
>> sys admin rights separate, and thus, there must be a work around to
>> provide them with the ability to use the IIS management tool and not
>> give them overly elevated privileges.
>>
>> Is there anything I'm missing? Any help would be much
>> appreciated.
>
>Unfortunatley, you must be an admin to create virtual directories.
>http://support.microsoft.com/default.aspx?scid=KB;EN-US;298 969
>
>In my org we do keep dev and sys admin rights seperate - the devs must get
>the sys admin to create the virtual directories.