Hi tek-tippers,
Has anyone been able to setup read-only access via the IIS6 manager snap-in to a remote IIS6?
By this I mean running the IIS6 snapin locally (on a workstation) and connecting to a remote IIS6 server and having read-only access to FTP/WEB/SMTP/etc sites and properties.
I have setup the permissions (correctly I hope) and the access works as expected using metabase explorer. That is, same scenario as above but using metabase explorer.
I basically gave read-only access to a non-admin test account at all metabase nodes where the ADMINACL property is configurable. This works as expected in IIS6 mgr when run under the test account on the server itself, but when run remotely using the same account I can't get a list of the web sites, only the application pools.
Only when that account has full control at \LM I can get a list of web sites. But then this allows the user to change settings at \LM such as 'direct metabase edit'. Anyways marching on, I found that despite the read ACE at a site node, I get 'access denied' when attempting to bring up the properties dialogue box for that site.
People have told me that it's impossible and that Microsoft says so as well, but I have yet to see this in writing on MS's site.
The motivation for doing this is to allow support staff to inspect web/ftp site configurations via the iis6 snapin without giving power to change settings.
If anyone has any thoughts please let me know. I can post detail steps of what I did if anyone wants to reproduce this.
Has anyone been able to setup read-only access via the IIS6 manager snap-in to a remote IIS6?
By this I mean running the IIS6 snapin locally (on a workstation) and connecting to a remote IIS6 server and having read-only access to FTP/WEB/SMTP/etc sites and properties.
I have setup the permissions (correctly I hope) and the access works as expected using metabase explorer. That is, same scenario as above but using metabase explorer.
I basically gave read-only access to a non-admin test account at all metabase nodes where the ADMINACL property is configurable. This works as expected in IIS6 mgr when run under the test account on the server itself, but when run remotely using the same account I can't get a list of the web sites, only the application pools.
Only when that account has full control at \LM I can get a list of web sites. But then this allows the user to change settings at \LM such as 'direct metabase edit'. Anyways marching on, I found that despite the read ACE at a site node, I get 'access denied' when attempting to bring up the properties dialogue box for that site.
People have told me that it's impossible and that Microsoft says so as well, but I have yet to see this in writing on MS's site.
The motivation for doing this is to allow support staff to inspect web/ftp site configurations via the iis6 snapin without giving power to change settings.
If anyone has any thoughts please let me know. I can post detail steps of what I did if anyone wants to reproduce this.