Blog Post

IIS Support Blog
1 MIN READ

Manage IIS locally with a non-admin account

Nedim's avatar
Nedim
Former Employee
Nov 13, 2019

Administrators mostly use a local or domain account that has local admin rights to manage IIS. How about non-administrator accounts? Can a non-administrator account use IIS Manager?

The answer is YES but it also depends on what you manage and how you access IIS Manager.

If you login to the server with a non-admin account and go to IIS Manager, you can only manage

  • Websites
  • Applications

By design, non-admin accounts can’t manage application pools locally.

 

The following steps are for a website. You can use similar steps for applications.

  1. Open IIS Manager
  2. Click the website
  3. Double click “IIS Manager Permissions
  4. Click “Allow User”. Add your domain or local users (I used IISTEAM domain – see the screenshot)
  5. Log off administrator
  6. Log back in with a non-admin user
  7. Open IIS Manager
  8. Select “File > Connect to Site
  9. Enter “localhost” as a server name. Enter your site name. Click “Next
  10. Enter username and password (a user from IIS Manager Permissions list). Click “Finish
  11. The website will show up in IIS Manager

Step 3 – IIS Manager Permissions

Step 7 – Connecting a remote site

 

For managing application pools with a non-admin user remotely, add users to IIS Manager Permissions (just like we did above). Then go to “IIS Manager > Management Service” and enable it. After this change, you can open IIS Manager in another server and add this server as a new connection (blog post).

 

You can also use manage.iis.net or Windows Admin Center to manage IIS websites remotely.

 

Updated Sep 04, 2020
Version 2.0

6 Comments

Sort By
  • jaakko's avatar
    jaakko
    Copper Contributor
    Jan 29, 2025

    Web Management Service must be running in that server, then users can connect to websites with inetmgr.

  • js_js's avatar
    js_js
    Copper Contributor
    Jan 30, 2024

    Hello, this tutorial does not work because although the user is added to the website, he cannot see the website and/or connect to the server.
    I am using Windows Server 2019.
    I am using IIS 10.

    I am trying to connect to localhost IIS using account which is in group Users and has been added via IIS Manager Permissions (icon - two guys with globe).

    The folder where the app is deployed is located on the user's folder and has IIS_IUSRS assigned and administrator can run the app fine via IIS.

    Also, when trying to connect to the localhost IIS, I can select:
    a) connect to server, when I enter localhost, I am requested to enter username and password but I need to connect using local Windows authentication and there is no option for that
    b) connect to website, which is the same but I have to enter web app name extra.

    Why the user cannot connect to the localhost server?

  • HawkMan's avatar
    HawkMan
    Copper Contributor
    Mar 03, 2022

    Is it possible to allow non-admins to view IIs only including Application Pools to see if they are running or not?

  • Nedim's avatar
    Nedim
    Former Employee
    Oct 24, 2020

    Hi rvmishra , 

     

    I have recently updated this post as there have been changes in this topic. There is currently no convenient way for non-admins to manage application pools. This is on purpose. We think it’s a security risk to allow non-admins to stop websites.

     

    Using manage.iis.net was a workaround but this website has been recently retired (Even when it was active, it required admin intervention for setup and every time browser cache is cleared).

     

    We have a tool called Windows Admin Center. This tool is developed to help admins manage servers remotely (Not just IIS but it can manage other components as well). If you set up this tool with admin credentials, non-admin users can later continue using it to manage sites. However, I don’t recommend this tool for this scenario because of the following reasons.

     

    1. Admin credentials should be used to set it up for every user/machine (We are simply using browser to save password)
    2. Every time the machine is restarted, the credentials should be entered again
    3. The non-admin user will have more permissions than just managing IIS. They can manage users/groups, storage, etc.

    In summary; it’s not recommended to use non-admin accounts to manage application pools.

    • markw_'s avatar
      markw_
      Copper Contributor
      Feb 07, 2025

      Sorry to drag this up from the dead, but this is the whole point of delegation and least privilege. 

      In our use case, we have some developers who need to be able to operate some aspects of IIS administration (e.g. managing application pools) but where we don't want to give them full access to IIS or the web server because we don't trust them not to make unauthorised changes.

      Your argument for not using full admin accounts for specific tasks which could be delegated is nonsense and also contrary to Microsoft's drive towards more granular management and control.

      I realise that I'm shouting into the void on this one but this really is worthy of a fresh look...

  • rvmishra's avatar
    rvmishra
    Copper Contributor
    Oct 18, 2020

    Hello Nedim 

    We have recently set up a Windows Server 2016 where I need to allow IIS Manager access to a Windows user

    who is not a member of the "Administrators" Group

     

    I have tried following your article above but the user still gets an error when after specifying the site details

     

    Anything you can suggest would be a big help

    In fact, the user needs to have IIS Manager access for multiple sites (asp.net) configured in-parallel

     

    Regards