WMI Rights required to read root\MicrosoftIISv2 in IIS7 with IIS6 compatibility mode

Posted by JoeBilly on Server Fault See other posts from Server Fault or by JoeBilly
Published on 2012-07-27T16:05:45Z Indexed on 2012/09/18 9:40 UTC
Read the original article Hit count: 2486

Filed under:
|
|

I need to manage my IIS7 (Windows Server 2008) remotely with a WMI IIS6 API. So I added the IIS6 WMI Compatibility and IIS6 Metabase Compatibility roles to access the root\MicrosoftIIsv2 namespace.

I have a domain account which is not administrator on the remote machine ; with this right, everything is ok.

I configured these rights for my domain account to access the root\MicrosoftIIsv2 WMI namespace remotely ; note that these rights work perfectly on a IIS6 and Windows Server 2003 :

DCOM :

  • Account in Distributed COM Users > Remote & local access to DCOM

WMI :

  • Root\CIMV2 (I need access here too) > Execute methods, Enable Account, Remote Enable
  • Root\Default (I need access here too) > Execute methods, Enable Account, Remote Enable
  • Root\MicrosoftIISv2 > Execute methods, Enable Account, Provider Write, Remote Enable

IIS Metabase (Metabase Explorer) :

  • LM > Full Control (W3SVC inherits these permissions)

I tried to give some access on C:\Windows\System32\inetsrv too ; don't know if needed.

My issue is :

I can't list the IIS WebSites (\root\MicrosoftIISv2:IIsWebServerSetting.Name="W3SVC/*"). I don't get an 'access denied' but nothing is returned.

  • My API and powershell tests can connect and execute queries in the root\MicrosoftIISv2 namespace
  • I can read the IIsComputer class
    • ex: Get-WmiObject IIsComputer -namespace "ROOT\MicrosoftIISv2" -authentication PacketPrivacy | SELECT *
  • I can't read the IIsWebServerSetting, IIsWebServer ... to list the WebSites : the query returns an empty collection
    • ex: Get-WmiObject IIsWebServerSetting -namespace "ROOT\MicrosoftIISv2" -authentication PacketPrivacy | SELECT ServerComment
  • All queries work perfectly if the account is administrator as already said
  • I am using PacketPrivacy authentication

FI: I got a Warning Event 5605 with the Administrator right or not, that does not seem to have an impact :

The root\MicrosoftIISv2 namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again


Ok, I have some more informations, when I use IIS 6 Metabase Explorer with my administrator account I can see the rights are correctly inherited for my non-administrator account.

But when I try to connect using my non-administrator account, I can list the LM node, but get an "access denied, failed to get a key's data" when I try to browse the child nodes.

I'll check further.


I tried to Trace the WMI Activity, and everything seems OK ; this tends to confirm that the problem lies in IIS Rights.

© Server Fault or respective owner

Related posts about windows-server-2008

Related posts about iis7