授予在IIS7x上回收应用程序池的权限 [英] Give permissions to recycle App Pool on IIS7x

问题描述

我参与了一个项目，该项目通过采用DevOps方法，必须将软件(充当代理的Windows服务)安装在目标服务器上，以允许远程和自治地执行部署.

I'm involved in a project where, by adopting DevOps approach, a software (a Windows service acting as agent) has to be installed on the target servers to allow performing deployments remotely and autonomously.

作为背景，我们在这里谈论的是远程管理部署的服务器，部署代码的不同目标服务器(Windows 2008 R2).这些服务器托管着IIS应用程序，其部署包括仅替换文件和文件夹，然后回收应用程序池.

As background, we are talking here about a server managing the deployments remotely, different target servers (Windows 2008 R2) where the code is deployed. The servers are hosting IIS applications and the deployments consist in just replacing files and folders followed by app pool recycle.

为此，我尝试应用两种不同的权限:应用程序文件夹结构上的NTFS权限和回收应用程序池的权限.

For this, I'm trying to apply two different kind of permissions: NTFS permissions on the application folder structure and permissions to recycle the App Pool.

这是我遇到问题的最后一个.我花了几个小时在互联网上搜索此问题，但是，即使有可能，我也无法弄清楚如何正确执行此操作. 几乎所有参考(如下面的参考)都集中于IIS远程管理委派或远程Web部署，但我尝试将其应用失败.

It's on the last one where I have problems. I spent several hours searching on internet about this matter, but I'm unable to figure out how to properly do this, if it's even possible. Almost all references (like bellow ones) are focused to IIS remote administration delegation or remote web deployments, which I tried unsuccessfully to apply.

我实际上需要知道的是如何在服务器上本地(对于运行代理程序的帐户)委派权限(仅回收应用程序池并仅回收该池).

What I need to know in fact is how to delegate the permission (to just recycle an App Pool and only that) locally on the server (for the account running the agent).

• https://blogs.msdn.microsoft.com/asiatech/2011/07/20/iis-7-delegate-remote-application-pool-recycling-for-non-administrator/
• https://www.iis.net/learn/manage/remote-administration/configuring-remote-administration-and-feature-delegation-in-iis-7

• https://blogs.msdn.microsoft.com/asiatech/2011/07/20/iis-7-delegate-remote-application-pool-recycling-for-non-administrator/
• https://www.iis.net/learn/manage/remote-administration/configuring-remote-administration-and-feature-delegation-in-iis-7

推荐答案

我们最终通过使用具有管理员权限和计划任务的第二个帐户解决了此问题.

We ended up resolving this problem by using a second account with adminitrator privileges and a scheduled task.

因此，我们从以下内容开始:

So, we started with:

• 以有限的权限运行DevOps代理的服务帐户(A).
• 运行计划任务的服务帐户(B)，具有管理员特权，以重新使用应用程序池.

我们做到了:

• 使用A创建了计划任务，因此它是任务的实际所有者，并具有运行它的必要权利.
• 将该任务配置为以B身份运行，由于具有管理员权限，该任务将具有执行应用程序池回收的必要权限.

此方法将使我们能够模拟没有权限(或不容易)委派权限的附加管理员任务.

This method will allow us to impersonate aditional administrator tasks for which there is no possibility to delegate permissions (or not easily).

这篇关于授予在IIS7x上回收应用程序池的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！