Myth: Creating web applications with Visual Studio requires Admin privileges

  • Article

As you can imagine, working on the Whitehorse team, I generate a lot of web applications in a given day.  I also run with an LUA account on my developer boxes. 

Even internally, I am constantly amazed by the number of people who believe that you must have Administrative rights to create a web application on your box.  This is just not true.  Like a lot of LUA issues, this just comes down to finding the ACL that is getting in your way and modifying it to allow your LUA account the necessary rights.  In this case the ACLs that need to be updated live in the IIS metabase. 

For those of you who have never heard of the IIS metabase, it is registry like data store that controls the IIS settings.  Pre IIS 6.0 this was a binary file that had to be updated through the service control manager or through the Metabase APIs.  In 6.0, the settings are now stored in an XML file (C:\Winnt\System32\inetsrv\MetaBase.xml).  These settings control everything from the ACLs on various items to the location of your web applications footer file. 

These settings are persisted in a hierarchical fasion.  Here is a brief outline of my metabase. 

/LM    

   / IISADMIN    

   / Logging    

   / MimeMap    

   / W3SVC       

      /1          

         /ROOT       

      /2          

         /ROOT  

The /ROOT tags represent the root web application for a particular web site.  In this case the key that represents https://localhost for my machine is /LM/W3SVC/1/ROOT.  So if I want to all my LUA to create web applications on my local box, he simply needs to have the appropriate ACE in the ACL for that key. 

Pre-Whidbey there are two ways that you can generate web applications without administrative privileges.  

  1. Use a metabase editor (I prefer MBExplorer that is included in the IIS 6.0 resource kit) and update the ACLs manually to allow for creation of web sites with your LUA
  2. The people at Visual Studio appear to have anticipated that developers would want this very feature so they make it really easy.  If you open up your user and group editor you'll notice that there is a group called "Visual Studio Developers".  This group has the neccessary ACE's to create web applications on the local machine.  Just add your LUA into that group and you're set.

If IIS is not installed when you install Everret, the install process will not create the "Visual Studio Developers" group or added the appropriate ACEs.  In this case you will have to resort to option #1. 

Whidbey does not appear to create this group with or without IIS installed.  I'm guessing this feature was cut since you can happily create and debug web applications with a LUA using Cassini.  If you still want to have IIS based web applications you can use option #1. 

Note, this will only work for web applications that are created on the local machine.  I tried for several days to generate web applications on a remote machine where my account was an LUA.  AFAIK, this just isn't possible.  If someone out there has found a way, please comment on it.