%3CLINGO-SUB%20id%3D%22lingo-sub-1006358%22%20slang%3D%22en-US%22%3EManage%20IIS%20locally%20with%20a%20non-admin%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006358%22%20slang%3D%22en-US%22%3E%3CP%3EAdministrators%20mostly%20use%20a%20local%20or%20domain%20account%20that%20has%26nbsp%3B%3CSTRONG%3Elocal%20admin%20rights%3C%2FSTRONG%3E%26nbsp%3Bto%20manage%20IIS.%20How%20about%26nbsp%3B%3CSTRONG%3Enon-administrator%26nbsp%3B%3C%2FSTRONG%3Eaccounts%3F%20Can%20a%20non-administrator%20account%20use%20IIS%20Manager%3F%3C%2FP%3E%0A%3CP%3EThe%20answer%20is%26nbsp%3B%3CSTRONG%3EYES%26nbsp%3B%3C%2FSTRONG%3Ebut%20it%20also%20depends%20on%20what%20you%20manage%20and%20how%20you%20access%20IIS%20Manager.%3C%2FP%3E%0A%3CP%3EIf%20you%20login%20to%20the%20server%20with%20a%20non-admin%20account%20and%20go%20to%20IIS%20Manager%2C%20you%20can%20only%20manage%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWebsites%3C%2FLI%3E%0A%3CLI%3EApplications%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EBy%20design%2C%20non-admin%20accounts%20can%E2%80%99t%20manage%20application%20pools%20locally.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20steps%20are%20for%20a%20website.%20You%20can%20use%20similar%20steps%20for%20applications.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EOpen%20IIS%20Manager%3C%2FLI%3E%0A%3CLI%3EClick%20the%20website%3C%2FLI%3E%0A%3CLI%3EDouble%20click%20%E2%80%9C%3CSTRONG%3EIIS%20Manager%20Permissions%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%3EClick%20%E2%80%9C%3CSTRONG%3EAllow%20User%3C%2FSTRONG%3E%E2%80%9D.%20Add%20your%20domain%20or%20local%20users%20(I%20used%20IISTEAM%20domain%20%E2%80%93%20see%20the%20screenshot)%3C%2FLI%3E%0A%3CLI%3ELog%20off%20administrator%3C%2FLI%3E%0A%3CLI%3ELog%20back%20in%20with%20a%20non-admin%20user%3C%2FLI%3E%0A%3CLI%3EOpen%20IIS%20Manager%3C%2FLI%3E%0A%3CLI%3ESelect%20%E2%80%9C%3CSTRONG%3EFile%20%26gt%3B%20Connect%20to%20Site%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%3EEnter%20%E2%80%9C%3CSTRONG%3Elocalhost%3C%2FSTRONG%3E%E2%80%9D%20as%20a%20server%20name.%20Enter%20your%20site%20name.%20Click%20%E2%80%9C%3CSTRONG%3ENext%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%3EEnter%20username%20and%20password%20(a%20user%20from%20IIS%20Manager%20Permissions%20list).%20Click%20%E2%80%9C%3CSTRONG%3EFinish%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%3EThe%20website%20will%20show%20up%20in%20IIS%20Manager%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22clipboard_image_0.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156921i9BEC17D60D4DFD21%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22clipboard_image_0.png%22%20alt%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EStep%203%20%E2%80%93%20IIS%20Manager%20Permissions%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22clipboard_image_1.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156920iC69E9EF06E68B533%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22clipboard_image_1.png%22%20alt%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EStep%207%20%E2%80%93%20Connecting%20a%20remote%20site%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20managing%20application%20pools%20with%20a%20non-admin%20user%26nbsp%3B%3CSTRONG%3Eremotely%3C%2FSTRONG%3E%2C%20add%20users%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fmanage%2Fremote-administration%2Fconfiguring-remote-administration-and-feature-delegation-in-iis-7%23configure-iis-manager-permissions-for-a-site-or-an-application%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIIS%20Manager%20Permissions%3C%2FA%3E%26nbsp%3B(just%20like%20we%20did%20above).%20Then%20go%20to%20%E2%80%9CIIS%20Manager%20%26gt%3B%20Management%20Service%E2%80%9D%20and%20enable%20it.%20After%20this%20change%2C%20you%20can%20open%20IIS%20Manager%20in%20another%20server%20and%20add%20this%20server%20as%20a%20new%20connection%20(%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Fasiatech%2F2011%2F07%2F20%2Fiis-7-delegate-remote-application-pool-recycling-for-non-administrator%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eblog%20post%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20use%20manage.iis.net%20or%20Windows%20Admin%20Center%20to%20manage%20IIS%20websites%20remotely.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1006358%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin%3A%200cm%200cm%207.5pt%200cm%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2013.5pt%3B%20font-family%3A%20'Arial'%2Csans-serif%3B%20color%3A%20%236b6b6b%3B%22%3EAdministrators%20mostly%20use%20a%20local%20or%20domain%20account%20that%20has%26nbsp%3B%3CSTRONG%3E%3CSPAN%20style%3D%22font-family%3A%20'Arial'%2Csans-serif%3B%22%3Elocal%20admin%20rights%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3Bto%20manage%20IIS.%20How%20about%26nbsp%3B%3CSTRONG%3E%3CSPAN%20style%3D%22font-family%3A%20'Arial'%2Csans-serif%3B%22%3Enon-administrator%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3Eaccounts%3F%20Can%20a%20non-administrator%20account%20use%20IIS%20Manager%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1792986%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20IIS%20locally%20with%20a%20non-admin%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1792986%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F246324%22%20target%3D%22_blank%22%3E%40Nedim%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20recently%20set%20up%20a%20Windows%20Server%202016%20where%20I%20need%20to%20allow%20IIS%20Manager%20access%20to%20a%20Windows%20user%3C%2FP%3E%3CP%3Ewho%20is%20not%20a%20member%20of%20the%20%22Administrators%22%26nbsp%3BGroup%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20following%20your%20article%20above%20but%20the%20user%20still%20gets%20an%20error%20when%20after%20specifying%20the%20site%20details%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnything%20you%20can%20suggest%20would%20be%20a%20big%20help%3C%2FP%3E%3CP%3EIn%20fact%2C%20the%20user%20needs%20to%20have%20IIS%20Manager%20access%20for%20multiple%20sites%20(asp.net)%20configured%20in-parallel%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1814342%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20IIS%20locally%20with%20a%20non-admin%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1814342%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F836583%22%20target%3D%22_blank%22%3E%40rvmishra%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20recently%20updated%20this%20post%20as%20there%20have%20been%20changes%20in%20this%20topic.%20There%20is%20currently%20no%20convenient%20way%20for%20non-admins%20to%20manage%20%3CU%3Eapplication%20pools%3C%2FU%3E.%20This%20is%20on%20purpose.%20We%20think%20it%E2%80%99s%20a%20security%20risk%20to%20allow%20non-admins%20to%20stop%20websites.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsing%20manage.iis.net%20was%20a%20workaround%20but%20this%20website%20has%20been%20recently%20retired%20(Even%20when%20it%20was%20active%2C%20it%20required%20admin%20intervention%20for%20setup%20and%20every%20time%20browser%20cache%20is%20cleared).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20a%20tool%20called%20Windows%20Admin%20Center.%20This%20tool%20is%20developed%20to%20help%20admins%20manage%20servers%20remotely%20(Not%20just%20IIS%20but%20it%20can%20manage%20other%20components%20as%20well).%20If%20you%20set%20up%20this%20tool%20with%20admin%20credentials%2C%20non-admin%20users%20can%20later%20continue%20using%20it%20to%20manage%20sites.%20However%2C%20I%20don%E2%80%99t%20recommend%20this%20tool%20for%20this%20scenario%20because%20of%20the%20following%20reasons.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EAdmin%20credentials%20should%20be%20used%20to%20set%20it%20up%20for%20every%20user%2Fmachine%20(We%20are%20simply%20using%20browser%20to%20save%20password)%3C%2FLI%3E%0A%3CLI%3EEvery%20time%20the%20machine%20is%20restarted%2C%20the%20credentials%20should%20be%20entered%20again%3C%2FLI%3E%0A%3CLI%3EThe%20non-admin%20user%20will%20have%20more%20permissions%20than%20just%20managing%20IIS.%20They%20can%20manage%20users%2Fgroups%2C%20storage%2C%20etc.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EIn%20summary%3B%20it%E2%80%99s%20not%20recommended%20to%20use%20non-admin%20accounts%20to%20manage%20application%20pools.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Administrators mostly use a local or domain account that has local admin rights to manage IIS. How about non-administrator accounts? Can a non-administrator account use IIS Manager?

The answer is YES but it also depends on what you manage and how you access IIS Manager.

If you login to the server with a non-admin account and go to IIS Manager, you can only manage

  • Websites
  • Applications

By design, non-admin accounts can’t manage application pools locally.

 

The following steps are for a website. You can use similar steps for applications.

  1. Open IIS Manager
  2. Click the website
  3. Double click “IIS Manager Permissions
  4. Click “Allow User”. Add your domain or local users (I used IISTEAM domain – see the screenshot)
  5. Log off administrator
  6. Log back in with a non-admin user
  7. Open IIS Manager
  8. Select “File > Connect to Site
  9. Enter “localhost” as a server name. Enter your site name. Click “Next
  10. Enter username and password (a user from IIS Manager Permissions list). Click “Finish
  11. The website will show up in IIS Manager

clipboard_image_0.png

Step 3 – IIS Manager Permissions

clipboard_image_1.png

Step 7 – Connecting a remote site

 

For managing application pools with a non-admin user remotely, add users to IIS Manager Permissions (just like we did above). Then go to “IIS Manager > Management Service” and enable it. After this change, you can open IIS Manager in another server and add this server as a new connection (blog post).

 

You can also use manage.iis.net or Windows Admin Center to manage IIS websites remotely.

 

2 Comments
Occasional Visitor

Hello @Nedim 

We have recently set up a Windows Server 2016 where I need to allow IIS Manager access to a Windows user

who is not a member of the "Administrators" Group

 

I have tried following your article above but the user still gets an error when after specifying the site details

 

Anything you can suggest would be a big help

In fact, the user needs to have IIS Manager access for multiple sites (asp.net) configured in-parallel

 

Regards

Microsoft

Hi @rvmishra , 

 

I have recently updated this post as there have been changes in this topic. There is currently no convenient way for non-admins to manage application pools. This is on purpose. We think it’s a security risk to allow non-admins to stop websites.

 

Using manage.iis.net was a workaround but this website has been recently retired (Even when it was active, it required admin intervention for setup and every time browser cache is cleared).

 

We have a tool called Windows Admin Center. This tool is developed to help admins manage servers remotely (Not just IIS but it can manage other components as well). If you set up this tool with admin credentials, non-admin users can later continue using it to manage sites. However, I don’t recommend this tool for this scenario because of the following reasons.

 

  1. Admin credentials should be used to set it up for every user/machine (We are simply using browser to save password)
  2. Every time the machine is restarted, the credentials should be entered again
  3. The non-admin user will have more permissions than just managing IIS. They can manage users/groups, storage, etc.

In summary; it’s not recommended to use non-admin accounts to manage application pools.