IIS 6.0: You May Receive an Access Denied Error When You Use the OpenKey Method of the IIS Admin Base Object (332082)

SUMMARY

When you programmatically access the Microsoft Internet Information Services (IIS) 6.0 metabase by using the OpenKey method of the IIS Admin Base Object (IMSAdminBase::OpenKey), you may receive an access denied error. This problem may occur if the following conditions are true:

The program opens a handle to a key in the hierarchy (the root "/," for example) only to read or write to some keys below this key ("/LM/W3SVC/1/Root/Vdir, for example).

-and-
The security context under which the program is running does not have access to the key where the handle was opened, even if it does have permissions to the key that is being modified or read.

To avoid this problem, open the handle at the key where the operations are performed.

MORE INFORMATION

You must have the following metabase permissions to open a metabase handle:

When you open a handle with METADATA_PERMISSION_WRITE access, you can use any of the following permissions:
- MD_ACR_WRITE
- MD_ACR_RESTRICTED_WRITE
- MD_ACR_WRITE_DAC
When you open a handle with METADATA_PERMISSION_READ access, you can use any of the following permissions:
- MD_ACR_READ
- MD_ACR_UNSECURE_PROPS_READ
- MD_ACR_ENUM_KEYS

Note This additional layer of security does not affect programs that access the IIS metabase by using the IIS ADSI provider.

The AdminACL property contains a Microsoft Windows discretionary access control list (DACL) that controls access to any metabase key. This property grants read access, restricted write access, or unrestricted write access.

For more information about the AdminACL property, see IIS 6.0 Help. To view IIS 6.0 Help, follow these steps:

In Control Panel, double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
On the Help menu, click Help Topics.
Expand Internet Information Services.
Expand Reference.
Expand Metabase Property Reference, and then click the AdminACL topic.