Windows SBS 2008 - Restrict admin

Izi · 1 Dec 2010 at 13:42

I want to let users of my network login to the server and administer IIS, but not be able to administer users etc.

I tried doing it with IIS remote management tools, but it says that the user must be an administrator in order to manage IIS remotely - if I make them admins they will be able to login via RDC and administer users etc. Am I right? is there a work around?

Rob7865 · 1 Dec 2010 at 13:55

Why do you want users to admin IIS on an SBS box?? What have you got running on IIS that will require Users to admin and not the IT staff ??

MMC are your friend here - along with delegate permissions

Rob

Izi · 1 Dec 2010 at 14:03

Rob7865 said:
Why do you want users to admin IIS on an SBS box?? What have you got running on IIS that will require Users to admin and not the IT staff ??

MMC are your friend here - along with delegate permissions

Rob

Very small company!

6 developers will need to add/amend/administer websites in IIS.

I do not want the developers to access the main box - I will to keep control of users details/server administration.

Can you explain a little more about MMC? I have opened it and I can add IIS administration but how does that help me with the original problem?

thanks for your help!

Rob7865 · 1 Dec 2010 at 14:26

Personally your best bet here would be to setup a Window Client PC and Install IIS on that for the Developers - You should never host external websites on your main SBS box... But if all you want it for testing / Developing then install IIS on a Windows XP / 7 PC and Let the developers go mad without them destroying the main network server.
also, remember there are some very fundimental websites already hosted on the SBS IIS (RWW, OWA, Connect computer). I wouldnt want to let just anyone poking about with them...

Just my 2 Pence

If you still want to go ahead with allowing developers admin access to the IIS then here is a link to how to setup Delegation for IIS 7 (http://learn.iis.net/page.aspx/155/an-overview-of-feature-delegation-in-iis-70/#03)

Rob ;o)

Izi · 1 Dec 2010 at 15:09

Its only for client previews - I.E the developers do not use them when programming, just publish websites there for clients to access.

I've already got it set up and working nicely leaving the SBS websites in tact. To be honest, I am not using sharepoint or other stuff anyway.

Thanks for the link, I'll have a read.

Izi · 1 Dec 2010 at 15:15

Just had a look at that IIS article, not sure it does what I need.

Feature delegation is about actual website features, not administering IIS.

To be honest, I am not sure what I want is possible - can any body confirm its actually possible to let users connect to iis which are not server admins?

atomiser · 1 Dec 2010 at 20:27

seriously, take robs advice, do not let developers anywhere near your sbs box. i've been bitten before and if sbs goes properly wrong (i.e. you don't use the wizards for *everything*, or you screw around with the tightly integrated nature of the beast) then it can be a real PITA to recover - i've been there and it isn't nice. give them a domain joined pc with iis and local admin rights, they can dick around with that as much as they like without the potential for anything to go wrong at all. everybody wins.