How to run IISRESET for IIS6 without local admin privileges

TheMSsForum.com: The Microsoft Software Forum

Howdy,

Given the concerns of our senior engineer, only
members of the systems group are added to the local
administrators/domain admins group on our web servers.
However, members of other groups still need to have the
ability to restart IIS services via IISRESET using their
domain logins. Using RUNAS is not an option as we do not
want to give local admin privileges in ANY FORM to anyone
outside the systems team. With this restriction, the
task of determining the minimum account
policies/permissions necessary to run IISRESET besides
granting local admin privileges has been assigned to me.
I've spent hours upon hours scouring MS sites attempting
to find this information with no luck.

Is there any configuration of group policy objects/file
permissions which will allow a user to successfully run
IISRESET against a remote server without granting local
admin privileges or giving out/hard-coding the password
of a local admin in a script/runas scenerio?

Thanks,

Jason Wiswell
Top

Re: How to run IISRESET for IIS6 without local admin privileges by David

David
Tue Oct 19 06:54:34 CDT 2004

I can't think of any.

I recommend against using IISRESET on IIS6 since it can cause data
corruption. It works fine against IIS5 but is an absolute sledgehammer for
IIS6.

1. NET STOP W3SVC & NET START W3SVC

is all about you need to do to restart IIS, and that needs Power Users
privileges.

2. NET STOP /y HTTP & NET START W3SVC
If you want to stop HTTP.SYS (because you made a HTTP.SYS registry change
and need it to take effect, for example), use:

3. Use Application Pool recycling as an equivalent form of iisreset on IIS6.
It causes the w3wp.exe to recycle, which is just as good as what
iisreset.exe accomplishes

4. I recommend against running other services that use the IISADMIN service
on WS03 since they can indirectly cause problems for IIS6 (IISADMIN service
is absolutely an Achilles Heel in IIS6 since IIS6 keeps configuration with
it, and it is also shared by other less reliable services -- so if they
crash/hang IISADMIN, it also affects IIS. This includes FTP, SMTP, NNTP).

In general, IIS6 should never be "offline" nor unavailable unless you affect
the system in other ways (like rebooting it).

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jason Wiswell" <jason_wiswell@yahoo.com> wrote in message
news:1d4801c4b57f$687a3510$a401280a@phx.gbl...
Howdy,

Given the concerns of our senior engineer, only
members of the systems group are added to the local
administrators/domain admins group on our web servers.
However, members of other groups still need to have the
ability to restart IIS services via IISRESET using their
domain logins. Using RUNAS is not an option as we do not
want to give local admin privileges in ANY FORM to anyone
outside the systems team. With this restriction, the
task of determining the minimum account
policies/permissions necessary to run IISRESET besides
granting local admin privileges has been assigned to me.
I've spent hours upon hours scouring MS sites attempting
to find this information with no luck.

Is there any configuration of group policy objects/file
permissions which will allow a user to successfully run
IISRESET against a remote server without granting local
admin privileges or giving out/hard-coding the password
of a local admin in a script/runas scenerio?

Thanks,

Jason Wiswell


Top