RE: IIS Run as Standard user

Jay Vyas 0 Reputation points
2024-03-18T11:39:54.3266667+00:00

Since a long time, I'm trying to have a AD users run as Standard permission with using Domain policy.

After a long search and applied some solutions I'm unable to have that user can run the IIS. Even I found followed answer on Microsoft Community as https://techcommunity.microsoft.com/t5/iis-support-blog/manage-iis-locally-with-a-non-admin-account/ba-p/1006358

Which indicate that the user has to be an Administrator only to have run access of IIS application.

Requirement;

  1. [xyz] user has to allow for using local IIS.
  2. [xyz] user inside the AD group policy and will not be able to have access over the Local software installations And Administrator rights on the machine.

NOT Remote IIS or Remote IIS Site !!

Please help with your inputs that can

Internet Information Services
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. glebgreenspan 1,125 Reputation points
    2024-03-18T13:32:13.0066667+00:00

    Hello Jay

    If you want the [xyz] user to be able to run IIS locally without having full administrator rights on the machine, you can try the following steps:

    1.     Add the [xyz] user to the built-in "IIS_IUSRS" group on the local machine. This group has the necessary permissions to run IIS without requiring full administrator rights.

    2.     Make sure the [xyz] user has permissions to access the necessary files and folders within the IIS web directories.

    3.     Ensure that the [xyz] user has the required permissions and access rights within IIS itself. You can set up specific permissions within IIS for the user to be able to manage web applications or sites.

     


  2. Michael Taylor 47,626 Reputation points
    2024-03-18T13:46:44.7466667+00:00

    I'm confused about what you're trying to accomplish. IIS is a service and runs under a service account, not a user account. Within IIS, you can set up sites and apps and grant users' permissions to those if they are using Windows auth.

    If you have developers who need to be able to create sites and manage them then most likely they are going to need admin privileges anyway. Trying to fight against this is just going to cause you more problems and slow them down. Of course you could use a CI/CD process to use a dedicated build account to configure all this instead. However when something goes wrong your devs are going to need access to the server most likely anyway.

    For local development your team doesn't need IIS. IIS Express is part of Visual Studio, doesn't require admin privileges and behaves just like IIS. It, or Kestrel, are the preferred way to debug web apps locally.

    0 comments No comments

  3. Lex Li (Microsoft) 4,662 Reputation points Microsoft Employee
    2024-03-18T16:41:34.5433333+00:00

    The question of how to allow non-administrators to manage IIS configuration locally has been asked for more than two decades, but remote management and delegation is all technically feasible solution from Microsoft, https://learn.microsoft.com/en-us/iis/manage/remote-administration/configuring-remote-administration-and-feature-delegation-in-iis-7

    The IIS Support Blog article you referred to actually used the same "remote administration" setup (just with a "localhost" connection).

    Don't waste your time on searching further, because it is simply a dead end.

    0 comments No comments