This depends on what/how you're running apps in IIS If you're using Windows Vista onwards, then SeDebug Privilege is restricted: http://msdn.microsoft.com/en-us/library/bb625963.aspx
So, without SeDebug privilege you can debug privileges that are running under the same account as yourself, and if you are in the Debugger User group (that VS.NET creates). However, if you want to debug processes running under another account, then you need SeDebug Privilege, but that requires you to be running your process at High integrity level - i.e. as Admin or System. So, you could change account the w3wp.exe process is running under, or use IIS Express. Or you need to look at a 3rd party solution. But, by far the most common setup I've seen is to give developers their own "sand pit" environment separate to their day-to-day workstations (e.g. in a standalone VM, or a complete virtualised environment) Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Thursday, 16 January 2014 3:36 PM To: [email protected] Subject: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Thanks - I'll take a look at that. However, from some articles I found earlier, Microsoft also recommends that you admin rights are needed to debug IIS based projects from VS. Thanks, -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Phil Brutsche Sent: Wednesday, January 15, 2014 8:22 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Microsoft's Application Compatibility Toolkit may help here. -- Phil Brutsche [email protected]<mailto:[email protected]> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Wednesday, January 15, 2014 10:15 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Does anyone have any experience with either AppSense Application Manager or ViewFinity Privilege Management, and have any good or bad experiences to share supporting and running these products? Background: We are working with a department that has 7 developers that need to use IIS and Visual Studio 2005 (with the ability to debug IIS projects from VS). Unfortunately, we've found that these programs require admin rights to be able to run correctly for these developers. We are usually able to figure out the specific registry/file/folder permissions that need to be adjusted to allow the applications to run without admin rights, but were unable to find workarounds for these applications. Since we would like to avoid granting admin rights to these developers, we are looking for products that can help us elevate only specific applications to having admin rights. AppSense Application Manager and ViewFinity Privilege Management are two solutions that I am currently looking at, and I wanted to know if anyone has any comments about either product. I'm also open to other products if anyone has any positive experiences. Thanks, -Aakash Shah
