Delegating IIS administration to Domain Users (non-administrators)

  • Article

One of the new features with IIS 7 is Feature Delegation. This allows you to delegate management of IIS to domain users (non-administrators). This document has very detailed information on Feature Delegation and should be reviewed first. I was asked how to do this for a domain group, so this article has a few differences in screens shots. 

Feature delegation has four parts. 

  • Enable Remote Connections through Management service.
  • Adding the AD user(s)/group(s) to the separate sites listed in IIS, using IIS Manager Permissions
  • Delegating the IIS features to the above users to be able to use, this is set using feature Delegation. 
  • Connecting to IIS as a non-administrator

Enabling Remote connections

Load IIS manager.

Double click Management service on bottom right

Click Enable Remote Connections.

Click Windows Credentials Only.

 

Click Apply then Click Start

Adding users to allow delegation

Click on the first Web site you wish to assign delegation to under sites then on the right double click IIS Manager Permissions.

Then on the right click Allow User on the right.

 

In the Pop Up windows for Allow User: enter Contoso\app admins then click OK.

Repeat for each site listed that you would like to allow IIS delegation of.

 

 

Delegating the features you would like to delegate and the rights for each delegation.

From the IIS home page double click feature Delegation

From within Feature Delegation Click Authentication - Windows then on the right click Read/Write

Repeat feature delegation for Logging and SSL Settings and any other features you would like to delegate . When done the screen should look similar to the above image. You are now done with delegation

Repeat feature delegation for Logging and SSL Settings and any other features you would like to delegate . When done the screen should look similar to the above image. You are now done with delegation

 You may now log access IIS with credentials that you delegated above.

Connecting to IIS as a non-administrator

Log onto the server as a non-administrator. Load IIS Manager.

Right click on Start Page then click Connect to a Site.

Enter the Server Name and Site Name then click next.

 

Enter the Appropriate User Name and Password then click Next

Click Next on the Specify a Connection Name then click Finish. You will now see you connection to that site.

Repeat for any additions sites on this server that you would like to connect to.

Note: You cannot manage any of the Application pools. So here is the next blog: How to use Web Deploy for administration of Application Pools by Non Administrators