问题
I'm involved in a project where, by adopting DevOps approach, a software (a Windows service acting as agent) has to be installed on the target servers to allow performing deployments remotely and autonomously.
As background, we are talking here about a server managing the deployments remotely, different target servers (Windows 2008 R2) where the code is deployed. The servers are hosting IIS applications and the deployments consist in just replacing files and folders followed by app pool recycle.
For this, I'm trying to apply two different kind of permissions: NTFS permissions on the application folder structure and permissions to recycle the App Pool.
It's on the last one where I have problems. I spent several hours searching on internet about this matter, but I'm unable to figure out how to properly do this, if it's even possible. Almost all references (like bellow ones) are focused to IIS remote administration delegation or remote web deployments, which I tried unsuccessfully to apply.
What I need to know in fact is how to delegate the permission (to just recycle an App Pool and only that) locally on the server (for the account running the agent).
- https://blogs.msdn.microsoft.com/asiatech/2011/07/20/iis-7-delegate-remote-application-pool-recycling-for-non-administrator/
- https://www.iis.net/learn/manage/remote-administration/configuring-remote-administration-and-feature-delegation-in-iis-7
回答1:
We ended up resolving this problem by using a second account with adminitrator privileges and a scheduled task.
So, we started with:
- A Service Account (A) running the DevOps agent, with limited privileges.
- A Service Account (B) running the scheduled task, with administrator privileges, to recylce the application pool.
And we did:
- Created a scheduled task with A, so it is the actual owner of the task and have the necessary rights to run it.
- Configured that task to run as B, which, as having adminitrator rights, will have the necessary rights to perform the application pool recycle.
This method will allow us to impersonate aditional administrator tasks for which there is no possibility to delegate permissions (or not easily).
来源:https://stackoverflow.com/questions/41897273/give-permissions-to-recycle-app-pool-on-iis7x