Monday, May 17, 2010

Setting up an IIS6 Application Pool Identity

Annoyingly I keep forgetting the 'User Rights Assignments' to be assigned when setting up an IIS6 app pool to run under a different identity i.e. a domain user. They are listed nicely on Peter Stromquist's blog here:

  • Add the account to the local IIS_WPG security group
  • Open the Group Policy Editor for the local computer (gpedit.msc)
  • Drill down to: Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignments
  • Add the new identity account to the following polices:
    - Adjust memory quotas for a process
    - Logon as a service
    - Replace a process level token
  • If your web application is going to host any web services, you need to also give your account Delete access to the C:\WINDOWS\Temp directory. Note: this is done via the Advanced dialog in the Security page of the Explorer folder properties dialog box

No comments: