Compartir a través de

Delegating IIS administration to Domain Users (non-administrators)

  • Artículo

One of the new features with IIS 7 is Feature Delegation. This allows you to delegate management of IIS to domain users (non-administrators). This document has very detailed information on Feature Delegation and should be reviewed first. I was asked how to do this for a domain group, so this article has a few differences in screens shots. 

Feature delegation has four parts. 

  • Enable Remote Connections through Management service.
  • Adding the AD user(s)/group(s) to the separate sites listed in IIS, using IIS Manager Permissions
  • Delegating the IIS features to the above users to be able to use, this is set using feature Delegation. 
  • Connecting to IIS as a non-administrator

Enabling Remote connections

Load IIS manager.

Double click Management service on bottom right

Click Enable Remote Connections.

Click Windows Credentials Only.

 

Click Apply then Click Start

Adding users to allow delegation

Click on the first Web site you wish to assign delegation to under sites then on the right double click IIS Manager Permissions.

Then on the right click Allow User on the right.

 

In the Pop Up windows for Allow User: enter Contoso\app admins then click OK.

Repeat for each site listed that you would like to allow IIS delegation of.

 

 

Delegating the features you would like to delegate and the rights for each delegation.

From the IIS home page double click feature Delegation

From within Feature Delegation Click Authentication - Windows then on the right click Read/Write

Repeat feature delegation for Logging and SSL Settings and any other features you would like to delegate . When done the screen should look similar to the above image. You are now done with delegation

Repeat feature delegation for Logging and SSL Settings and any other features you would like to delegate . When done the screen should look similar to the above image. You are now done with delegation

 You may now log access IIS with credentials that you delegated above.

Connecting to IIS as a non-administrator

Log onto the server as a non-administrator. Load IIS Manager.

Right click on Start Page then click Connect to a Site.

Enter the Server Name and Site Name then click next.

 

Enter the Appropriate User Name and Password then click Next

Click Next on the Specify a Connection Name then click Finish. You will now see you connection to that site.

Repeat for any additions sites on this server that you would like to connect to.

Note: You cannot manage any of the Application pools. So here is the next blog: How to use Web Deploy for administration of Application Pools by Non Administrators

Comments

  • Anonymous
    January 01, 2003
    Ken, Sorry for the delay. I have the link updated and thanks for bringing it to my attention.
  • Anonymous
    January 01, 2003
    Your linked article "How to use Web Deploy for administration of Application Pools by Non Administrators" asks for me to log into TechNet and then says "Access Denied"
  • Anonymous
    January 01, 2003
    Yes if you have the right to log on locally or log on through Remote Desktop Services. Some companies are going extremely strict trying to limit admin access.
  • Anonymous
    September 02, 2014
    On a SharePoint computer you will need to add the Feature – Group Policy Management. You will need
  • Anonymous
    September 02, 2014
    How
  • Anonymous
    January 26, 2015
    User without administrator privileges can do Connect to a server?
  • Anonymous
    June 29, 2015
    Yeah we are really strict about this as well. We basically do not allow it. The process above would likely work for us, but would be so much sysadmin work that we just say "NO" and require developers to create a "methods and procedures" document for the sysadmin team to do the deployment or configuration change.
  • Anonymous
    July 01, 2015
    User without administrator privileges can do Connect to a server?
    if user have RDP permissions,what is the process for Connect to a server
  • Anonymous
    July 06, 2015
    Jonathan , This was wrote because my SharePoint Admins were not granted admin access on SharePoint. It's almost impossible to manage SharePoint as an Admin if you cannot see IIS, Application Pools, or stop/start windows services for SharePoint. I agree NO developer should have access to production (just my opinion).
  • Anonymous
    July 06, 2015
    Shiva, Check out the articles here for Remote Desktop (MSTSC). http://windows.microsoft.com/en-us/windows/connect-using-remote-desktop-connection#connect-using-remote-desktop-connection=windows-7
  • Anonymous
    July 22, 2015
    Is it possible or not manage the IIS server completely without the requirement to be server administrator ?
  • Anonymous
    January 30, 2016
    We have a server that runs windows server 2008. The server has the web server IIS server role installed and all the web server services installed. We need to provide a user the ability to administer the website. which feature we should configure?
  • Anonymous
    June 29, 2017
    in provide credentials screen error is could not connect the computer unable to connect the remote server
  • Anonymous
    August 07, 2017
    I truly appreciate this post. I have been looking all over for this! Thank goodness I found it on Bing. You have made my day! Thx again
  • Anonymous
    August 14, 2017
    Usually I don't read article on blogs, but I wish to say that this write-up very forced me to try and do so! Your writing style has been surprised me. Thanks, very nice article.
  • Anonymous
    February 13, 2018
    My organization uses Smart Card authentication, and has password auth disabled. Is there a way to delegate that doesn't use a username/password type of login?
    • Anonymous
      February 14, 2018
      If you are referring to the section on connecting to a site, the answer is no and this has been asked for before.
  • Anonymous
    September 14, 2018
    A non-admin user has been delegated all possible features (i.e., every feature in 'Feature Delegation' is R/W) to a site. They connect with IIS to the site just fine using the guidance provided above. Can they stop / start their own site (not just niggle with app pool recycling)? Add virtual directories or applications 'straightforwardly' (you can sneak them in by publishing to a folder in the site's physical folder or via Web Deploy)?This apparently wasn't possible per some 2014 posts and doesn't look possible now but I am hoping I am wrong. Trying Stop-Website with PowerShell (for the non-admin) gets "A drive with the name 'IIS' does not exist." even after import-module webadministration but does work for an admin.My 'use case' is providing students with a web site they own on a Windows Server and I hoped delegating all features of a site would give the user full command of the site (e.g., so all the IIS demos & doc in the world can be applied without exception). Any way to give them authority over a web site without providing all privileges of an admin?
    • Anonymous
      September 19, 2018
      Hello, Unfortunately I cannot answer your question as my use case was for a group to manage the entire SharePoint farm. I've not tried to limit the way you are asking.