Designate a Web Site Operator Without Adding Them to the Admin Group
Learn how you can designate a Web site operator in IIS without having to add them to the administrator group.
January 13, 2003
When I create a new Web site operator for a Web site in IIS, I know that I must open the Web site's Properties dialog box and add that person's network account to the Operator’s tab. However, when I add an account to the Operator's tab and the Web site operator uses Microsoft Management Console (MMC) to enumerate or list directories within that Web site, the user receives the error message, "Unable to enumerate files and directories because the following error occurred: Access is denied."
According to the "Microsoft Internet Information Services 5.0 Resource Guide," a Web site operator doesn't need administrative permissions on the server on which the Web site resides. Despite this fact, I can prevent the error I described only by adding the Web site operator to the local Administrators group. However, I don't want to add the Web site operator to the Administrators group because of security concerns and because doing so lets the Web site operator view and edit properties for any Web site on the server. How can I designate a Web site operator without adding the person to the Administrators group?
The Operators features in IIS 5.0 and IIS 4.0 aren't as effective as Microsoft would have you believe. The company has acknowledged limitations in the Microsoft article "Web Site Operator Capabilities and Limitations" but hasn't corrected the problem.
Administrators often spend a lot of time adjusting NTFS permissions so that the Web site operator can access the metabase.bin file, but doing so won’t achieve your goal. Although NTFS permissions on the metabase.bin file provide only Administrator and System access by default, adding a user or group won’t let the user administer Web sites.
However, you can apply ACLs to metabase keys and use several different tools or an Active Directory Service Interfaces (ADSI) script to adjust those ACLs. The Microsoft article "SAMPLE: Metaacl.exe Modifying Metabase Permissions for the IIS Admin Objects" provides a link for downloading metaacl.exe, which includes metaacl.vbs—probably the most widely used tool for this purpose. Metaacl.vbs lets you control the AdminACL metabase property on metabase keys. This property limits access to metabase keys much like setting ACLs on registry keys. For information about the AdminACL property, click here.
After you download metaacl.exe and extract metaacl.vbs, issue the following command to assign Read/Write permissions for the Web site of choice to your Web site operator:
Metaacl.vbs "IIS://Localhost/W3SVC/" RWSUED
Note that incorrect use of metaacl.vbs can make IIS unstable or unmanageable. Also, in my experience, using metaacl.vbs to adjust ACLs on the metabase takes some experimentation (i.e., time) to work properly. Finally, be aware that Microsoft doesn't support the use of metaacl.vbs. Be sure you create a good metabase backup before you make changes.
About the Author
You May Also Like