Otdfbt

declaring a variable twice in IIFE

How can I fix this gap between bookcases I made?

Copycat chess is back

How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?

XeLaTeX and pdfLaTeX ignore hyphenation

Japan - Plan around max visa duration

Work Breakdown with Tikz

"You are your self first supporter", a more proper way to say it

Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)

A Journey Through Space and Time

Set-theoretical foundations of Mathematics with only bounded quantifiers

Why CLRS example on residual networks does not follows its formula?

Email Account under attack (really) - anything I can do?

Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)

How is it possible for user's password to be changed after storage was encrypted? (on OS X, Android)

Why doesn't Newton's third law mean a person bounces back to where they started when they hit the ground?

How to report a triplet of septets in NMR tabulation?

Can a German sentence have two subjects?

How to type dʒ symbol (IPA) on Mac?

How old can references or sources in a thesis be?

N.B. ligature in Latex

Are there any consumables that function as addictive (psychedelic) drugs?

Pronouncing Dictionary.com's W.O.D "vade mecum" in English

Patience, young "Padovan"

DefaultAppPool Identity Account in IIS6

IIS Application Pool identity problemIIS6: Application Pool with dedicated service-user identity causes integrated authentication to failWhy is IIS6 using my web site anonymous user account for file access instead of the app pool account?IIS7.5 Domain Account Application Pool Identity for SQL Server AuthenticationApplicationPoolIdentity IIS 7.5 to SQL Server 2008 R2 not workingWindows Server 2008 R2--how give a WCF service write permission to folder?Why is my IIS6 Site Not Using AppPool Credentials?Application Pool Identity corruptionPHP on IIS 7.5/W2K8 using IUSR Account not IIS_APPPOOLDefaultAppPoolIIS NTFS Permissions are not working correctly

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I need to create a User account that is A) not within the IIS_WPG Group that will write to folders, and B) is used as the DefaultAppPool Identity Account. The purpose of B is because of preventing anonymous HTTP file pushes from Server 1 to Server 2.

I am successful in creating a user account that is set to the AppPool but service only works if it's associated to IIS_WPG. Is there another type of account I can create?

windows-server-2003 iis application-pools

share|improve this question

asked Jul 24 '12 at 19:42

Angry SpartanAngry Spartan

1064

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is this for an ASP.NET application? Can you tell us more about what you're doing?
  
  – Kev
  Jul 25 '12 at 2:20
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  That question really didn't seem straightforward. "Not within the IIS_WPG Group that will write to folders" - the IIS_WPG Group will write to folders, or the user account must not be in that group, and it will write to folders? Why can't it be in IIS_WPG? Why shouldn't it? What mechanism are you using to write to the folders? WebDAV (Write permission in IIS Manager? An upload page/control/form posting?)
  
  – TristanK
  Jul 25 '12 at 10:03
  
  

  
  
  
  

add a comment | 

0

I need to create a User account that is A) not within the IIS_WPG Group that will write to folders, and B) is used as the DefaultAppPool Identity Account. The purpose of B is because of preventing anonymous HTTP file pushes from Server 1 to Server 2.

I am successful in creating a user account that is set to the AppPool but service only works if it's associated to IIS_WPG. Is there another type of account I can create?

windows-server-2003 iis application-pools

share|improve this question

asked Jul 24 '12 at 19:42

Angry SpartanAngry Spartan

1064

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is this for an ASP.NET application? Can you tell us more about what you're doing?
  
  – Kev
  Jul 25 '12 at 2:20
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  That question really didn't seem straightforward. "Not within the IIS_WPG Group that will write to folders" - the IIS_WPG Group will write to folders, or the user account must not be in that group, and it will write to folders? Why can't it be in IIS_WPG? Why shouldn't it? What mechanism are you using to write to the folders? WebDAV (Write permission in IIS Manager? An upload page/control/form posting?)
  
  – TristanK
  Jul 25 '12 at 10:03
  
  

  
  
  
  

add a comment | 

I need to create a User account that is A) not within the IIS_WPG Group that will write to folders, and B) is used as the DefaultAppPool Identity Account. The purpose of B is because of preventing anonymous HTTP file pushes from Server 1 to Server 2.

I am successful in creating a user account that is set to the AppPool but service only works if it's associated to IIS_WPG. Is there another type of account I can create?

windows-server-2003 iis application-pools

share|improve this question

asked Jul 24 '12 at 19:42

Angry SpartanAngry Spartan

1064

share|improve this question

asked Jul 24 '12 at 19:42

Angry SpartanAngry Spartan

1064

share|improve this question

asked Jul 24 '12 at 19:42

Angry SpartanAngry Spartan

1064

asked Jul 24 '12 at 19:42

Angry SpartanAngry Spartan

1064

asked Jul 24 '12 at 19:42

Angry SpartanAngry Spartan

1064

1 Answer
1

active

oldest

votes

0

You can't not have a pool identity that isn't a member of IIS_WPG and be an application pool identity. The IIS_WPG group is configured with just the right amount of NTFS permissions and user privileges to allow members of the group to be application pool identities.

See: IIS and Built-in Accounts (IIS 6.0) and in particular: Configuring Application Pool Identity in IIS 6.0 (IIS 6.0)

If you wanted to set up another group or user with the same minimum permission set it would be identical to what IIS_WPG has.

One thing you shouldn't be doing is assigning the IIS_WPG group any kind of permission in your web folders. IIS_WPG is just a convenient group to allow admins to permit custom user accounts to be pool identities.

The rights you should be assigning to your IIS web folders should be the pool account itself where the pool account is also the anonymous user for the site.

Or, if you're running multiple sites inside the same pool but need different anonymous identities then you would configure additional windows accounts and set these as the anonymous user.

share|improve this answer

answered Jul 25 '12 at 10:50

KevKev

6,1871266104

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  We are using Adobe CQ for our content management. Server B publishes files to Server A when a browser request comes in via HTTP. But that request is anonymous on Server A, hence why I cannot use the default account in the DefaultPoolApp. We won't want just anybody be able to push files to our web server. The issue with not using IIS_WPG is because our server admins do not want write permissions granted for this Group, so I need to have another group, assumingly, with the same minimal permissions.
  
  – Angry Spartan
  Jul 25 '12 at 13:02
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f410794%2fdefaultapppool-identity-account-in-iis6%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

You can't not have a pool identity that isn't a member of IIS_WPG and be an application pool identity. The IIS_WPG group is configured with just the right amount of NTFS permissions and user privileges to allow members of the group to be application pool identities.

See: IIS and Built-in Accounts (IIS 6.0) and in particular: Configuring Application Pool Identity in IIS 6.0 (IIS 6.0)

If you wanted to set up another group or user with the same minimum permission set it would be identical to what IIS_WPG has.

One thing you shouldn't be doing is assigning the IIS_WPG group any kind of permission in your web folders. IIS_WPG is just a convenient group to allow admins to permit custom user accounts to be pool identities.

The rights you should be assigning to your IIS web folders should be the pool account itself where the pool account is also the anonymous user for the site.

Or, if you're running multiple sites inside the same pool but need different anonymous identities then you would configure additional windows accounts and set these as the anonymous user.

share|improve this answer

answered Jul 25 '12 at 10:50

KevKev

6,1871266104

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  We are using Adobe CQ for our content management. Server B publishes files to Server A when a browser request comes in via HTTP. But that request is anonymous on Server A, hence why I cannot use the default account in the DefaultPoolApp. We won't want just anybody be able to push files to our web server. The issue with not using IIS_WPG is because our server admins do not want write permissions granted for this Group, so I need to have another group, assumingly, with the same minimal permissions.
  
  – Angry Spartan
  Jul 25 '12 at 13:02
  
  

  
  
  
  

add a comment | 

0

You can't not have a pool identity that isn't a member of IIS_WPG and be an application pool identity. The IIS_WPG group is configured with just the right amount of NTFS permissions and user privileges to allow members of the group to be application pool identities.

See: IIS and Built-in Accounts (IIS 6.0) and in particular: Configuring Application Pool Identity in IIS 6.0 (IIS 6.0)

If you wanted to set up another group or user with the same minimum permission set it would be identical to what IIS_WPG has.

One thing you shouldn't be doing is assigning the IIS_WPG group any kind of permission in your web folders. IIS_WPG is just a convenient group to allow admins to permit custom user accounts to be pool identities.

The rights you should be assigning to your IIS web folders should be the pool account itself where the pool account is also the anonymous user for the site.

Or, if you're running multiple sites inside the same pool but need different anonymous identities then you would configure additional windows accounts and set these as the anonymous user.

share|improve this answer

answered Jul 25 '12 at 10:50

KevKev

6,1871266104

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  We are using Adobe CQ for our content management. Server B publishes files to Server A when a browser request comes in via HTTP. But that request is anonymous on Server A, hence why I cannot use the default account in the DefaultPoolApp. We won't want just anybody be able to push files to our web server. The issue with not using IIS_WPG is because our server admins do not want write permissions granted for this Group, so I need to have another group, assumingly, with the same minimal permissions.
  
  – Angry Spartan
  Jul 25 '12 at 13:02
  
  

  
  
  
  

add a comment | 

You can't not have a pool identity that isn't a member of IIS_WPG and be an application pool identity. The IIS_WPG group is configured with just the right amount of NTFS permissions and user privileges to allow members of the group to be application pool identities.

See: IIS and Built-in Accounts (IIS 6.0) and in particular: Configuring Application Pool Identity in IIS 6.0 (IIS 6.0)

If you wanted to set up another group or user with the same minimum permission set it would be identical to what IIS_WPG has.

One thing you shouldn't be doing is assigning the IIS_WPG group any kind of permission in your web folders. IIS_WPG is just a convenient group to allow admins to permit custom user accounts to be pool identities.

The rights you should be assigning to your IIS web folders should be the pool account itself where the pool account is also the anonymous user for the site.

Or, if you're running multiple sites inside the same pool but need different anonymous identities then you would configure additional windows accounts and set these as the anonymous user.

share|improve this answer

answered Jul 25 '12 at 10:50

KevKev

6,1871266104

share|improve this answer

answered Jul 25 '12 at 10:50

KevKev

6,1871266104

answered Jul 25 '12 at 10:50

KevKev

6,1871266104

answered Jul 25 '12 at 10:50

KevKev

6,1871266104