Article 323

HowTo: Create a virtual directory from an ASP page.

This question comes up a lot on the IIS newsgroup at microsoft.public.inetServer.iis so I thought that I would create a step/step method to show you how you can create a virtual directory from an ASP page. One thing to remember through this tutorial is that ONLY members of the Local Administrators Group can modify the Metabase so you must be security awear.

First a simple example ASP page that could create a virtual directory in the Default Web Site (instance id = 1)

<%
    Set IISOBJ = GetObject("IIS://Localhost/w3svc/1/root")
    Set NewDir = IISOBJ.Create("IIsWebVirtualDir", "MyVirtualDirectory")
    NewDir.Path = "c:\xxxxxx"
    NewDir.SetInfo
    Set NewDir=Nothing
    Set IISObJ=Nothing
%>

If you saved this page and tried to run it from a standard web site you will find that you no doubt will get this error.

Microsoft VBScript runtime error '800a0046'
Permission denied: 'GetObject'
/makewebdir.asp, line 2

The reason that you get this error is that the IUSR_xxxx where xxxx is the name of the IIS server does not by default have the permission to create objects in the IIS metabase, only members of the Local Administrators Group do.

So how can we create a virtual directory from a web site?

There are a few methods that work:

Give the IUSR_xxxx account administrative rights - ** NO WAY **
Create a physical or virtual directory and put your script in there. You can then control access to this directory by specifying the user account that is used to access the virtual directory as the anonymous account.

So how do we do this?

In this sample I will create a new web site called ADSI which I will use through this tutorial.

After we click next we just click finish to create the new web site.

We now need to add a virtual directory to the web site where we will store our ADSI Scripts that we need a specific account to be used when we invoke them. Right click on the web site and select New-Virtual Directory

Enter the location that you want the virtual directory to point to in my case I am using d:\dev\code\wsh\iis scripts\adsi

Just leave the Read and Run Scripts selected nothing else needs to be selected.

Click next and then finish to create the virtual directory. In the MMC you will notice that IIS has created a new application root. We will get rid of this application root and just have our virtual directory as a standard virtual directory.

Right click the virtual directory ADSI Scripts and select properties. This will bring up the dialog below. So first off we want to remove the application root. click the remove button and the application root will be removed and we will be left with a standard virtual directory.

Now select the Directory Security tab and click the Edit Button to open the directory Authentication Methods dialog

In the Authentication Methods Dialog remove the check box for Integrated Windows Authentication and just leave the anonymous access.

Then click the Edit... button to open the Anonymous User Account Dialog.

This dialog is the place that we will use to configure the IIS virtual directory account. This account needs to have enough rights to create the virtual directory in the IIS Metabase.

Set the Anonymous User Account to the local or domain account as required, but one that has administrative rights to the local IIS machine. Set the password and remove the Allow IIS to control password check box.

I would create an account specifically for the task of running ADSI Scripts this way you can use Windows NT auditing to track logins with this account.

I created a new local account called ADSI, make sure you set the options as indicated below.

So now we use the account that we created above as the anonymous user account and set the password. We also remove the Allow IIS to control password option.

You will then need to confirm your password.

As you can see from below by default only the Administrators local group and the SYSTEM account have rights to the Metabase.bin file. We will need to add our new account to the local administrators group. This is a hard coded security measure that Microsoft has put in place.

Some of your may now be thinking that I could have simply just added my IUSR_xxxx account to the Local Administrators Group, and this is true; but this means that anyone who is using your web sites has Admin Rights to the local computer, this is a very serious security hole.

So now lets add our ADSI account to the Local Administrators group. We do this through the Computer Management MMC. One note here, that if your IIS is on a domain controller, this means you are adding the user account to the DOMAIN Administrators group. I would suggest that you do not run IIS on a domain controller for this reason alone.

After performing these steps you will be able to do pretty much anything you want to the IIS metabase, this means that you should make sure you secure the NTFS permissions on the virtual directories physical underlying directory.

Running the code below will now create the Metabase entry.

The code above will create a virtual directory called MyVirtualDirectory for the Default Web Site. The Default Web Site has an instance ID of 1. If you want to use this code on other Web Sites you need to change the w3svc/1 to the particular web site you are wanting to modify.

use this code to get the instance # of the web site.
InstanceID = Request.ServerVariables("INSTANCE_ID")
Set IISOBJ = GetObject("IIS://Localhost/w3svc/" & InstanceID & "/root")
<