IISCnfg.vbs - IIS Settings Replication
page 2 of 3
by Web Team at ORCS Web
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 26539/ 56

Metabase ACL Issue

The IIS Metabase has permission settings (ACLs) on various nodes of the metabase and you can lock down or loosen the permissions using the command line tool metaacl.vbs or using Metabase Explorer included in the IIS Resource kit.  This is similar in concept to file system permissions on an NTFS disk volume.  Normally this is something that does not need to be changed except for very specific requirements, but the push does not handle the ACLs perfectly, requiring us to dig deeper.  The best I can tell, this is an oversight in the export or import function built into IIS.  The IIS_WPG group, which is commonly used, needs to be switched from a node specific SID of the source server to the SID of the target server.

The copy/import works properly in the root nodes of the metabase and some other nodes that have specific permissions, but there are two sections of the metabase that are not handled correctly.  They are /w3svc/AppPools and /w3svc/Filters.

It is easier for me to explain by showing the output of the metaacl.vbs tool.  Here is an example of an untouched metabase.

Listing 1

C:\admin>Metaacl.vbs "IIS://localhost/w3svc/apppools"
 BUILTIN\Administrators
 Access: RWSUED
 NLB1\IIS_WPG
 Access: U
 NT AUTHORITY\NETWORK SERVICE
 Access: U
 NT AUTHORITY\LOCAL SERVICE
 Access: U 

Notice the NLB1\IIS_WPG with U permissions.  Now let us look at the same node after a push.

Listing 2

C:\admin>Metaacl.vbs "IIS://localhost/w3svc/apppools"
 BUILTIN\Administrators
 Access: RWSUED
 S-1-5-21-2936230025-297186120-535571621-1007
 Access: U
 NT AUTHORITY\NETWORK SERVICE
 Access: U
 NT AUTHORITY\LOCAL SERVICE
 Access: U 

Notice where the IIS_WPG group used to exist; now there is just an invalid SID.  This will not cause your sites to stop, but it will cause issues with IIS being unable to read the private memory limits of the app pool and other similar issues.  So, when doing a push, make sure to clean that up.  The attached scripts take care of that as well.

When doing a Merge, I found that the easiest way to handle this is to remove the ACL lines completely and retain the permissions from the destination server.  I have another script called RemoveAdminACLline.vbs that takes care of that.  That makes the /merge even cleaner because it does not touch the ACLs on the destination server.


View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2021 ASPAlliance.com  |  Page Processed at 2021-12-04 6:23:42 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search