Cross post from the "security" forum as I'm not sure which place this best fits.
I am trying to write a script that will stop my production website
and start a second "maintenance" website in its place that will let my
users know that the main site is unavailable for updates. I would like
this script to be run by someone who does not have FULL
administrator-level access to the box. This is in IIS 6.0 on Windows
Server 2003 by the way.
Examples of things that appear to require full admin rights:
cscript.exe c:\inetpub\adminscripts\adsutil.vbs stop_server w3svc/1 -s:RemoteServerName
cscript.exe c:\inetpub\adminscripts\adsutil.vbs start_server w3svc/2 -s:RemoteServerName
or
cscript.exe c:\windows\system32\iisweb.vbs /stop w3svc/1 /s RemoteServerName /u UserName /p Password
cscript.exe c:\windows\system32\iisweb.vbs /start w3svc/2 /s RemoteServerName /u UserName /p Password
Is there any way to grant permissions to a network account such that
they can execute the above commands or something similar, without
giving them the rights to do other admin level tasks on the box such as
installing random software or adding additional user accounts?
I
would also like for this network account to be able to run a simple
iisreset, but I found a loophole around it that allows me to stop and
start the World Wide Web Publishing Service using the sc command, which
essentially accomplishes the same goals as an iisreset, but isn't as
elegant.
Any help would be appreciated, even if it is to tell me that this definitely isn't possible.
Thanks.