[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 669
  • Last Modified:

How to set permissions to modify virtual directories (metabase) from asp.net on Windows 2008 IIS7 without using the build-in administrator account?

We use System.Directoryservices to edit virtual directories from within asp.net pages on our webservers. The script works on Windows 2003 and Vista, but we can't get it to work on Windows 2008. It only works if we use the build-in Administrator account.
Does anyone have an idea how to set the proper permissions to allow a usergroup to have access to change virtual directories from within asp.net pages using impersonation?

The error we get if we don't use the build-in administrator account is:
AppAudit: Root: /
AppAudit: Add virtualdir: en E:\Inetpub\be.cl-cosmetics\beta\xx-xx\ IIS://localhost/W3SVC/7/ROOT
AppAudit: Binding to: IIS://localhost/W3SVC/7/ROOT
Error: System.Runtime.InteropServices.COMException (0x80070005): Access is denied. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_SchemaClassName() at Portalizer.IIS.CreateVirtualDirectory(VirtualDirectory& VD) in F:\UDM\Portalizer2.0\IIS.vb:line 18
0
Scubago
Asked:
Scubago
1 Solution
 
Dustin HopkinsCommented:
I think this is due to LUA. You could try disabling this for the user account that adds the vdirs, though disabling is not recommended it is probably the quickest way out of a bind. You could try playing around with running command line code, and just elevating user through the cmdln.
I'm sorry if this is inaccurate, but I haven't had a chance to test this solution on any of my servers.

Windows server 2008 introduces new feature UAC (User Access Control), also known as Local User Administrator (LUA) Security,  to protect OS from being attacked. Kind've like in Vista, but it seems to be less intrusive. Mainly reserving it's self to app installs and certain other features, including creating virtual directories. Under UAC (user access control), accounts in the local Administrators group have two access tokens, one with standard user privileges and one with administrator privileges.

Normally, the administrator runs under the standard user privileges. If administrator need to perform some tasks that require administrator privilege, the system will pop-up a dialogue  to let us promote it.

Of course, you can change this behavior by disabling UAC as the following steps:
1. Open the Control Panel from the Start menu and select Classic View.

2. Double-Click User Account

3. Under "Make Changes to Your User Account" click the link labeled "Turn User Account Control on or off"

4. Click Continue when prompted "Windows needs your permission to continue"

5. Un-select the check box next to "User Account Control (UAC) to help protect your computer" and then click OK.

6. When prompted top restart your computer select Restart Now

For more information about UAC, please refer to:
Windows User Account Control Step-by-Step Guide
http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d91033.mspx?mfr=true
0
 
ScubagoAuthor Commented:
Your suggestion is right, but I didn't want to give up UAC, so I fixed it by running that particular script impersonated as the local administrator. Not a clean solution, but the safest one i figuered out till now.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now