• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 710
  • Last Modified:

How to set permissions to modify virtual directories (metabase) from asp.net on Windows 2008 IIS7 without using the build-in administrator account?

We use System.Directoryservices to edit virtual directories from within asp.net pages on our webservers. The script works on Windows 2003 and Vista, but we can't get it to work on Windows 2008. It only works if we use the build-in Administrator account.
Does anyone have an idea how to set the proper permissions to allow a usergroup to have access to change virtual directories from within asp.net pages using impersonation?

The error we get if we don't use the build-in administrator account is:
AppAudit: Root: /
AppAudit: Add virtualdir: en E:\Inetpub\be.cl-cosmetics\beta\xx-xx\ IIS://localhost/W3SVC/7/ROOT
AppAudit: Binding to: IIS://localhost/W3SVC/7/ROOT
Error: System.Runtime.InteropServices.COMException (0x80070005): Access is denied. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_SchemaClassName() at Portalizer.IIS.CreateVirtualDirectory(VirtualDirectory& VD) in F:\UDM\Portalizer2.0\IIS.vb:line 18
1 Solution
Dustin HopkinsSenior Web DeveloperCommented:
I think this is due to LUA. You could try disabling this for the user account that adds the vdirs, though disabling is not recommended it is probably the quickest way out of a bind. You could try playing around with running command line code, and just elevating user through the cmdln.
I'm sorry if this is inaccurate, but I haven't had a chance to test this solution on any of my servers.

Windows server 2008 introduces new feature UAC (User Access Control), also known as Local User Administrator (LUA) Security,  to protect OS from being attacked. Kind've like in Vista, but it seems to be less intrusive. Mainly reserving it's self to app installs and certain other features, including creating virtual directories. Under UAC (user access control), accounts in the local Administrators group have two access tokens, one with standard user privileges and one with administrator privileges.

Normally, the administrator runs under the standard user privileges. If administrator need to perform some tasks that require administrator privilege, the system will pop-up a dialogue  to let us promote it.

Of course, you can change this behavior by disabling UAC as the following steps:
1. Open the Control Panel from the Start menu and select Classic View.

2. Double-Click User Account

3. Under "Make Changes to Your User Account" click the link labeled "Turn User Account Control on or off"

4. Click Continue when prompted "Windows needs your permission to continue"

5. Un-select the check box next to "User Account Control (UAC) to help protect your computer" and then click OK.

6. When prompted top restart your computer select Restart Now

For more information about UAC, please refer to:
Windows User Account Control Step-by-Step Guide
ScubagoAuthor Commented:
Your suggestion is right, but I didn't want to give up UAC, so I fixed it by running that particular script impersonated as the local administrator. Not a clean solution, but the safest one i figuered out till now.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now