WMI Rights required to read root\MicrosoftIISv2 in IIS7 with IIS6 compatibility mode
Posted
by
JoeBilly
on Server Fault
See other posts from Server Fault
or by JoeBilly
Published on 2012-07-27T16:05:45Z
Indexed on
2012/09/18
9:40 UTC
Read the original article
Hit count: 2486
I need to manage my IIS7 (Windows Server 2008) remotely with a WMI IIS6 API. So I added the IIS6 WMI Compatibility and IIS6 Metabase Compatibility roles to access the root\MicrosoftIIsv2 namespace.
I have a domain account which is not administrator on the remote machine ; with this right, everything is ok.
I configured these rights for my domain account to access the root\MicrosoftIIsv2
WMI namespace remotely ; note that these rights work perfectly on a IIS6 and Windows Server 2003 :
DCOM :
- Account in Distributed COM Users > Remote & local access to DCOM
WMI :
- Root\CIMV2 (I need access here too) > Execute methods, Enable Account, Remote Enable
- Root\Default (I need access here too) > Execute methods, Enable Account, Remote Enable
- Root\MicrosoftIISv2 > Execute methods, Enable Account, Provider Write, Remote Enable
IIS Metabase (Metabase Explorer) :
- LM > Full Control (W3SVC inherits these permissions)
I tried to give some access on C:\Windows\System32\inetsrv too ; don't know if needed.
My issue is :
I can't list the IIS WebSites (\root\MicrosoftIISv2:IIsWebServerSetting.Name="W3SVC/*"). I don't get an 'access denied' but nothing is returned.
- My API and powershell tests can connect and execute queries in the root\MicrosoftIISv2 namespace
- I can read the IIsComputer class
- ex:
Get-WmiObject IIsComputer -namespace "ROOT\MicrosoftIISv2" -authentication PacketPrivacy | SELECT *
- ex:
- I can't read the IIsWebServerSetting, IIsWebServer ... to list the WebSites : the query returns an empty collection
- ex:
Get-WmiObject IIsWebServerSetting -namespace "ROOT\MicrosoftIISv2" -authentication PacketPrivacy | SELECT ServerComment
- ex:
- All queries work perfectly if the account is administrator as already said
- I am using PacketPrivacy authentication
FI: I got a Warning Event 5605 with the Administrator right or not, that does not seem to have an impact :
The root\MicrosoftIISv2 namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again
Ok, I have some more informations, when I use IIS 6 Metabase Explorer with my administrator account I can see the rights are correctly inherited for my non-administrator account.
But when I try to connect using my non-administrator account, I can list the LM
node, but get an "access denied, failed to get a key's data" when I try to browse the child nodes.
I'll check further.
I tried to Trace the WMI Activity, and everything seems OK ; this tends to confirm that the problem lies in IIS Rights.
© Server Fault or respective owner