How to add NT AUTHORITY\IUSR to Administrators group
https://stackoverflow.com/questions/8857553
-
16-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I want to add the IUSR account to that administrators group in my winforms application. The code below fails because it cant find a user for "NT AUTHORITY\IUSR":
DirectoryEntry AD = new DirectoryEntry("WinNT://" + Environment.MachineName + ",computer");
DirectoryEntry administrators = AD.Children.Find("Administrators", "group");
DirectoryEntry iusr = AD.Children.Find(@"NT AUTHORITY\IUSR", "user");
administrators.Invoke("Add", new object[] {iusr.Path.ToString()});
I realize this is a bad idea. I am doing this because I am writing a winforms application that programmatically creates a new website in IIS7 FOR DEVELOPMENT PURPOSES ONLY. The website is being created successfully however ASP.NET displays the error "Access is denied" whenever I try to load a page. When I add IUSR to the administrators group everything works fine. What else can I try? Below is the code I am using to create the new website:
Site site = servermgr.Sites.Add(websitename, physicalpath, port);
Binding binding = site.Bindings.CreateElement();
string bindinginfo = "*:" + port.ToString() + ":" + hostipaddress;
binding.Protocol = "http";
binding.BindingInformation = bindinginfo;
site.Bindings.Clear();
site.Bindings.Add(binding);
site.Applications.Add(applicationpath, applicationphysicalpath);
site.ApplicationDefaults.ApplicationPoolName = "Default";
servermgr.CommitChanges();
Solution
The correct solution is to require authentication for the page. This then prompts the browser for you to log on; if you use a suitably empowered account the page will then be able to create the new website.
IIS7 allows you to configure this from (e.g.) ApplicationHost.config while previous versions required you to edit the metabase (usually from IIS manager).
EDIT: Depending on authentication, browser and network configuration, it is possible to arrange for the browser to automatically log in to the page using your domain account.
OTHER TIPS
DirectoryEntry AD = new DirectoryEntry("WinNT://" + Environment.MachineName + ",computer");
DirectoryEntry administrators = AD.Children.Find("Administrators", "group");
administrators.Invoke("Add", new object[] {"WinNT://NT AUTHORITY/IUSR"});
