How to set permissions to modify virtual directories (metabase) from asp.net on Windows 2008 IIS7 without using the build-in administrator account?

We use System.Directoryservices to edit virtual directories from within asp.net pages on our webservers. The script works on Windows 2003 and Vista, but we can't get it to work on Windows 2008. It only works if we use the build-in Administrator account.
Does anyone have an idea how to set the proper permissions to allow a usergroup to have access to change virtual directories from within asp.net pages using impersonation?

The error we get if we don't use the build-in administrator account is:
AppAudit: Root: /
AppAudit: Add virtualdir: en E:\Inetpub\be.cl-cosmetics\beta\xx-xx\ IIS://localhost/W3SVC/7/ROOT
AppAudit: Binding to: IIS://localhost/W3SVC/7/ROOT
Error: System.Runtime.InteropServices.COMException (0x80070005): Access is denied. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_SchemaClassName() at Portalizer.IIS.CreateVirtualDirectory(VirtualDirectory& VD) in F:\UDM\Portalizer2.0\IIS.vb:line 18
LVL 2
ScubagoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dustin HopkinsSenior Web DeveloperCommented:
I think this is due to LUA. You could try disabling this for the user account that adds the vdirs, though disabling is not recommended it is probably the quickest way out of a bind. You could try playing around with running command line code, and just elevating user through the cmdln.
I'm sorry if this is inaccurate, but I haven't had a chance to test this solution on any of my servers.

Windows server 2008 introduces new feature UAC (User Access Control), also known as Local User Administrator (LUA) Security,  to protect OS from being attacked. Kind've like in Vista, but it seems to be less intrusive. Mainly reserving it's self to app installs and certain other features, including creating virtual directories. Under UAC (user access control), accounts in the local Administrators group have two access tokens, one with standard user privileges and one with administrator privileges.

Normally, the administrator runs under the standard user privileges. If administrator need to perform some tasks that require administrator privilege, the system will pop-up a dialogue  to let us promote it.

Of course, you can change this behavior by disabling UAC as the following steps:
1. Open the Control Panel from the Start menu and select Classic View.

2. Double-Click User Account

3. Under "Make Changes to Your User Account" click the link labeled "Turn User Account Control on or off"

4. Click Continue when prompted "Windows needs your permission to continue"

5. Un-select the check box next to "User Account Control (UAC) to help protect your computer" and then click OK.

6. When prompted top restart your computer select Restart Now

For more information about UAC, please refer to:
Windows User Account Control Step-by-Step Guide
http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d91033.mspx?mfr=true
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ScubagoAuthor Commented:
Your suggestion is right, but I didn't want to give up UAC, so I fixed it by running that particular script impersonated as the local administrator. Not a clean solution, but the safest one i figuered out till now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.