共用方式為

IIS 7 Delegate Remote Application Pool Recycling for Non Administrator

  • 發行項

A question raised somewhat frequently from customers asks if there is a way to allow users to remotely recycle an application pool but without giving this user administration privileges on the IIS machine. Unfortunately, an application pool recycle does need to be run as an administrator, however by using msdeploy we can set the recycleApp provider to be delegated and run under elevated admin privileges. Then by using either a local standard user account or an IIS Manager account, we can call the recycleApp provider from a remote machine and with the elevated recycleApp provider, remotely recycle the app pools for which the user is granted permissions in IIS. This can be achieved with the following steps.

 

1) Install or verify IIS management service role is active.

 

2) Install current version of Web Deploy on server and remote machine which can be found at https://www.iis.net/download/WebDeploy

 

3) Within IIS from the server node, select management service. Ensure ‘enable remote connections’ is selected and start the Management Service (WMSVC) if it is currently stopped.

 

4) Again in the server node, select Management Service Delegation and then select the recycleApp provider. I have setup an administrator account on the IIS machine called Recycler which will handle the elevated permissions required to recycle an application pool.

 

5) Once again at the server node, select ‘IIS Manager Users’ and add Users as required. In this example, I have added IISUser1. Now at the site level which you wish to allow being remotely recycled, select ‘IIS Manager Permissions’ and ‘allow user’ from the actions pane. 

 

 6) Lastly, we can now run the msdeploy command from the remote machine to test.

msdeploy.exe -verb:sync -source:recycleApp -dest:recycleApp="Default Web Site",wmsvc=remote-computer,userName=IISManagerUserName,Password=IISManagerUserPassword,recycleMode="RecyleAppPool" –allowUntrusted

 Specific to our example we would run the following:

 

Note: The –allowUntrusted flag should be used if there is not a valid certificate on the remote machine. This will bypass any certificate errors.

More information on the Web Deploy recycleApp provider can be found here:

https://technet.microsoft.com/en-us/library/ee522997(WS.10).aspx

As an aside, in some situations it has been noted that with everything configured correctly you may get the following error when running the command.

I had a customer experience this error and through testing was able to reproduce this under the following scenarios. If msdeploy package is installed without the IIS Management Service Role being installed, or, if Management Service Role is removed and reinstalled with msdeploy active on the server, the required handle is not found. To resolve this, msdeploy was reinstalled and the issue was resolved.

Matthew from APGC DSI Team

Comments

  • Anonymous
    October 02, 2011
    If you recycle your stuff, then you could influence more people to follow your example by being more vocal about it. A way to let other people know about your recycling activities is to snap a picture of yourself while at work. Here's the application for doing just that. http://youtu.be/qxQn-00Rr7s

  • Anonymous
    December 05, 2013
    Hi ,Really helpful post. I have tried this but I want this to be done without adding the Wdeployadmin in the administrator group.

  • Anonymous
    September 15, 2014
    You could also configure IIS to recycle on configuration changes (default) and have the user do small edits on web.config file (add a space for example) to alter the web.config timestamp.

  • Anonymous
    January 21, 2016
    You should correct the spelling of "RecyCleAppPool" in the text under point 6.

  • Anonymous
    November 04, 2016
    If you have many IIS servers, it might be easier to delegate management through a product like System Frontier. You can even use wildcards to only start, stop or recycle of application pools and sites by name. No changes are made to the target servers and everything is centrally managed.

  • Anonymous
    November 14, 2016
    There is another step after adding recycleApp rule. Add users to rule. from ManagementDelegation Service right click on the recycleApp rule and add user to the rule. So that remote user can recycle from IIS Manger app. by right clicking on the site.