Manipulating the Metabase

The IIS Admin Objects expose a hierarchical namespace of objects where each object has an ADsPath property. The ADsPath syntax is similar to that of a Uniform Resource Locator (URL), in the form of IIS://[path], where [path] represents the directory path of the object being accessed. For example, IIS://MyComputer/W3SVC refers to the IIsWebService object for the machine named MyComputer. The object associated with MyComputer is the IIsComputer object, which contains all of the other IIS Admin Objects.

To obtain a reference to a named object, you can use the GetObject function in Visual Basic or VBScript.

Note   Other scripting languages can be used; see the documentation for the scripting language for details, as well as the ADSI Reference.

For example, you can retrieve the current value of ServerComment by inserting the following VBScript into an .asp file. In the following example, the string "LocalHost" is used instead of the explicit name "MyComputer" to access the computer on which IIS is running.

<% 
  Dim ComputerObj 
  Dim MaxBW 
  Set ComputerObj = GetObject("IIS://LocalHost") 
  MaxBW = ComputerObj.Get("MaxBandwidth") 
%> 

This could also be implemented using the object.property syntax, as in the following example.

<%
  Dim ComputerObj
  Dim MaxBW
  Set ComputerObj = GetObject("IIS://LocalHost")
  MaxBW = ComputerObj.MaxBandwidth
%>
 

Note   ASP pages that access the metabase require administrator privileges on the computer on which IIS is running; this is also true when running ASP applications out-of-process. When you execute scripts from a remote computer, you must connect through a secure connection, such as a connection protected by integrated Windows authentication (also called NTLM authentication). It is suggested that you create a server or directory for your administrative .asp files and set the authentication method to use integrated Windows authentication for the server or directory.

For security purposes, out-of-process applications cannot access the metabase unless WamUserName is recognized as an administrator. It is recommended that you retain this default behavior unless special circumstances require otherwise.

There are two ways you can modify this out-of-process behavior, but each introduces some security risk:

• You can give the IWAM_machinename account anonymous or NTLM access to the metabase, though this will allow access to the metabase for all out-of-process applications created with this default identity.
• Or, you can change the identity of the specific out-of-process package to some other account identity, and give only that account administrator-level access to the metabase. This method introduces less potential risk, but it must be implemented for each out-of-process package.