Share via

IIS reset without Local Admin Access

Anonymous
2024-11-18T07:20:28+00:00

We have a requirement to provide IIS reset access to a developer.

However, our strict security policy does not allow granting Local Admin access.

How we can provide this right without giving Local Admin privileges.

Windows for business Windows Server Windows cloud Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2024-11-18T08:19:27+00:00

    Hello Shehim,

    Thank you for posting in Microsoft Community forum.

    Granting IIS reset access without giving local admin privileges can be tricky because restarting Internet Information Services (IIS) typically requires administrative permissions. However, you can try the following methods:

    1. Task Scheduler with Elevated Privileges:

    Create a scheduled task that runs with elevated privileges to reset IIS.

    Grant the necessary permissions for the developer to run this task.

    Steps:

    1. Open Task Scheduler and create a new task.
    2. Configure the task to run with the highest privileges.
    3. Set the trigger to start the task manually.
    4. Add an action to run iisreset.
    5. Configure the security options to allow the developer to run the task.
    6. PowerShell Script with Delegated Permissions:

    Create a PowerShell script to reset IIS.

    Use a tool like PsExec to run the script with elevated privileges.

    Grant the developer permission to execute this specific script.

    Steps:

    1. Write a PowerShell script that runs the iisreset command.
    2. Use PsExec (from Sysinternals) to run the script with the required permissions.
    3. Ensure the developer has execute permissions on this script.
    4. Custom Management Console:

    Create a custom management console or application with the necessary permissions to reset IIS.

    Use role-based access to control which users can perform the reset function.

    Steps:

    1. Develop a tool or use an existing one that can manage IIS and handle the reset.
    2. Run the console or tool with the necessary administrative privileges.
    3. Grant access to the developers to use this tool.
    4. IIS Manager Users and Delegation:

    Configure delegation settings in IIS Manager to allow specific tasks to be performed by non-admin users.

    Note: This may not cover iisreset, but it can provide access to certain IIS management tasks.

    Each of these methods has its own considerations regarding security and complexity. Make sure to carefully evaluate the security implications and test thoroughly in a staging environment before deploying to production.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest