System administrators use IIS Manager to host and manage their web applications in IIS. In the majority of the companies I worked with, administrators use a local or domain account that has local admin rights to use IIS Manager. How about non-admin accounts? Can a non-administrator account use IIS Manager?
The answer is YES depending on what you want to manage and how you want to access IIS Manager.
If you login to Windows Server with a non-admin account and open IIS Manager, you can only manage
- Websites
- Applications
Non-admin accounts can’t manage application pools locally. This is by-design.
In the next section, I will briefly explain how to manage websites and applications locally with a non-admin account.
Manage IIS websites and applications locally with a non-admin account
The steps below are for a website. You can use similar steps for applications.
- Go to IIS Manager
- Click the website. Open “IIS Manager Permissions”
- Click “Allow User”. Add your domain or local users (In the screenshot below, I used IISTEAM domain)
- Log off administrator. Log in with non-admin user
- Go to IIS Manager
- Select “File > Connect to Site”
- Enter “localhost” as a server name and enter your site name. Click “Next”
- Enter username and password (a user from IIS Manager Permissions). Click “Finish”
- The website will show up in IIS Manager
For managing application pools with a non-admin user remotely, add users to IIS Manager Permissions just like we did above. Additionally, go to “IIS Manager > Management Service” and enable it. After this, you can open IIS Manager in another server and add this server as a new connection. Here is a good blog post about this.
You can also use manage.iis.net or Windows Admin Center to manage IIS websites remotely.
After connecting to IIS Manager, you may see that some bindings are missing. Check this post out for the root cause and solution: Missing bindings in IIS (net.tcp, net.pipe, net.msmq, msmq.formatname)
Update (10/23/2020)
There is currently no convenient way for non-admin accounts to manage application pools. This is on purpose. Microsoft thinks that it’s a security risk to allow non-admins to stop websites.
Using manage.iis.net was a workaround but this website has been recently retired (Even when it was active, it required admin intervention for setup and every time browser cache is cleared).
Microsoft has a tool called Windows Admin Center. This tool is developed to help admins manage servers remotely (Not just IIS but it can manage other components as well). If you set up this tool with admin credentials, non-admin users can later continue using it to manage sites. However, I don’t recommend this tool for this scenario because of the following reasons.
- Admin credentials should be used to set it up for every user/machine (We are simply using browser to save password)
- Every time the machine is restarted, the credentials should be entered again
- The non-admin user will have more permissions than just managing IIS. They can manage users/groups, storage, etc.
In summary; Microsoft does not recommend using non-admin accounts to manage application pools.
In the website, I don’t see any “IIS Manager Permissions”
I’m using Windows 10 version 20H2