The IIS Metabase has permission settings (ACLs) on various
nodes of the metabase and you can lock down or loosen the permissions using the
command line tool metaacl.vbs or using Metabase Explorer included in the IIS
Resource kit. This is similar in concept to file system permissions on an NTFS
disk volume. Normally this is something that does not need to be changed
except for very specific requirements, but the push does not handle the ACLs perfectly,
requiring us to dig deeper. The best I can tell, this is an oversight in the
export or import function built into IIS. The IIS_WPG group, which is commonly
used, needs to be switched from a node specific SID of the source server to the
SID of the target server.
The copy/import works properly in the root nodes of the
metabase and some other nodes that have specific permissions, but there are two
sections of the metabase that are not handled correctly. They are
/w3svc/AppPools and /w3svc/Filters.
It is easier for me to explain by showing the output of the
metaacl.vbs tool. Here is an example of an untouched metabase.
Listing 1
C:\admin>Metaacl.vbs "IIS://localhost/w3svc/apppools"
BUILTIN\Administrators
Access: RWSUED
NLB1\IIS_WPG
Access: U
NT AUTHORITY\NETWORK SERVICE
Access: U
NT AUTHORITY\LOCAL SERVICE
Access: U
Notice the NLB1\IIS_WPG with U permissions. Now let us look
at the same node after a push.
Listing 2
C:\admin>Metaacl.vbs "IIS://localhost/w3svc/apppools"
BUILTIN\Administrators
Access: RWSUED
S-1-5-21-2936230025-297186120-535571621-1007
Access: U
NT AUTHORITY\NETWORK SERVICE
Access: U
NT AUTHORITY\LOCAL SERVICE
Access: U
Notice where the IIS_WPG group used to exist; now there is
just an invalid SID. This will not cause your sites to stop, but it will cause
issues with IIS being unable to read the private memory limits of the app pool
and other similar issues. So, when doing a push, make sure to clean that up. The
attached scripts take care of that as well.
When doing a Merge, I found that the easiest way to handle
this is to remove the ACL lines completely and retain the permissions from the
destination server. I have another script called RemoveAdminACLline.vbs that
takes care of that. That makes the /merge even cleaner because it does not
touch the ACLs on the destination server.