How to set permissions to modify virtual directories (metabase) from on Windows 2008 IIS7 without using the build-in administrator account?

Posted on 2008-11-19
Last Modified: 2012-06-27
We use System.Directoryservices to edit virtual directories from within pages on our webservers. The script works on Windows 2003 and Vista, but we can't get it to work on Windows 2008. It only works if we use the build-in Administrator account.
Does anyone have an idea how to set the proper permissions to allow a usergroup to have access to change virtual directories from within pages using impersonation?

The error we get if we don't use the build-in administrator account is:
AppAudit: Root: /
AppAudit: Add virtualdir: en E:\Inetpub\\beta\xx-xx\ IIS://localhost/W3SVC/7/ROOT
AppAudit: Binding to: IIS://localhost/W3SVC/7/ROOT
Error: System.Runtime.InteropServices.COMException (0x80070005): Access is denied. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_SchemaClassName() at Portalizer.IIS.CreateVirtualDirectory(VirtualDirectory& VD) in F:\UDM\Portalizer2.0\IIS.vb:line 18
Question by:Scubago
    LVL 14

    Accepted Solution

    I think this is due to LUA. You could try disabling this for the user account that adds the vdirs, though disabling is not recommended it is probably the quickest way out of a bind. You could try playing around with running command line code, and just elevating user through the cmdln.
    I'm sorry if this is inaccurate, but I haven't had a chance to test this solution on any of my servers.

    Windows server 2008 introduces new feature UAC (User Access Control), also known as Local User Administrator (LUA) Security,  to protect OS from being attacked. Kind've like in Vista, but it seems to be less intrusive. Mainly reserving it's self to app installs and certain other features, including creating virtual directories. Under UAC (user access control), accounts in the local Administrators group have two access tokens, one with standard user privileges and one with administrator privileges.

    Normally, the administrator runs under the standard user privileges. If administrator need to perform some tasks that require administrator privilege, the system will pop-up a dialogue  to let us promote it.

    Of course, you can change this behavior by disabling UAC as the following steps:
    1. Open the Control Panel from the Start menu and select Classic View.

    2. Double-Click User Account

    3. Under "Make Changes to Your User Account" click the link labeled "Turn User Account Control on or off"

    4. Click Continue when prompted "Windows needs your permission to continue"

    5. Un-select the check box next to "User Account Control (UAC) to help protect your computer" and then click OK.

    6. When prompted top restart your computer select Restart Now

    For more information about UAC, please refer to:
    Windows User Account Control Step-by-Step Guide
    LVL 2

    Author Closing Comment

    Your suggestion is right, but I didn't want to give up UAC, so I fixed it by running that particular script impersonated as the local administrator. Not a clean solution, but the safest one i figuered out till now.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
    If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now