Windows Server 2025 ships with updated IIS 10.0 modules that expose more configuration settings through the WebAdministration and IISAdministration PowerShell modules. These changes reduce the need for manual XML edits in applicationHost.config when binding sites to Active Directory groups for authentication.

The practical result is faster provisioning of new sites and more reliable enforcement of group-based access controls. This post shows the exact commands used in production hosting environments to create sites, configure Windows Authentication, and assign NTFS permissions derived from Active Directory.

#Creating an IIS Site Bound to an Active Directory Group

First import the required modules and create the site. The New-IISSite cmdlet accepts the physical path and binding information directly.

powershell 
Import-Module WebAdministration, IISAdministration
New-IISSite -Name "ClientApp" -PhysicalPath "D:\Sites\ClientApp" -BindingInformation "*:443:clientapp.example.com" -Protocol https

#Enabling Windows Authentication and AD Group Authorization

Enable the WindowsAuthentication and RequestFiltering modules, then set the authorization rule to the required AD group. Use the Get-IISConfigSection and Set-IISConfigAttributeValue cmdlets for precision.

powershell 
Set-IISConfigAttributeValue -ConfigSection "system.webServer/security/authentication/windowsAuthentication" -AttributeName "enabled" -AttributeValue $true
Add-IISConfigCollectionElement -ConfigSection "system.webServer/security/authorization" -ElementAttributes @{accessType='Allow'; roles='EXAMPLE\Hosting-Admins'}

#Applying NTFS Permissions from Active Directory

Retrieve the group SID and apply it to the site folder using icacls wrapped in PowerShell. This ensures the same permissions are set on every new site.

  • Obtain the group object with Get-ADGroup
  • Translate to SID with .SID.Value
  • Call icacls with the SID and appropriate rights (RX,WD,DC)
powershell 
$group = Get-ADGroup -Identity "Hosting-Admins"
$sid = $group.SID.Value
icacls "D:\Sites\ClientApp" /grant "*${sid}:(OI)(CI)RX,WD,DC"

#Scheduled Task for Consistent Configuration Drift Detection

Create a daily task that compares current IIS configuration and NTFS ACLs against a desired state stored in a JSON file. Any drift triggers an email and remediation script.

Export the current site configuration with Get-IISConfigSection, compare it to the baseline, and log differences. This approach has proven reliable across dozens of servers without introducing third-party tools.

Adopt these patterns on Windows Server 2025 to replace manual IIS Manager steps with repeatable, auditable PowerShell scripts that integrate directly with existing Active Directory group policies.