IIS7 folder permissions for web application

Question

I am using windows authentication without impersonation on my company's intranet website with IIS7.

Under IIS7, what account is used to access the folder which contains my web app using these settings?

Would it be IIS_IUSRS? Or NETWORK SERVICE? Or another I don't know about?

Possible duplicate of [IIS AppPoolIdentity and file system write access permissions](https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions) — KyleMit, Oct 24 '17 at 18:44

score 131 · Accepted Answer · edited Apr 05 '12 at 19:42

131

In IIS 7 (not IIS 7.5), sites access files and folders based on the account set on the application pool for the site. By default, in IIS7, this account is NETWORK SERVICE.

Specify an Identity for an Application Pool (IIS 7)

In IIS 7.5 (Windows 2008 R2 and Windows 7), the application pools run under the ApplicationPoolIdentity which is created when the application pool starts. If you want to set ACLS for this account, you need to choose IIS AppPool\ApplicationPoolName instead of NT Authority\Network Service.

edited Apr 05 '12 at 19:42

Richard Marskell - Drackir

12,382
3
30
53

answered Mar 28 '10 at 06:46

Thomas

61,164
11
91
136

35

Note that it's not literally `IIS AppPool\ApplicationPoolName` , but `IIS AppPool\`. – Jeff S Dec 09 '12 at 07:44
21

In IIS 7.5, the default Identity for an Application Pool is ApplicationPoolIdentity. ApplicationPoolIdentity represents a Windows user account called "IIS APPPOOL\AppPoolName", which is created when the Application Pool is created, where AppPoolName is the name of the Application Pool. The "IIS APPPOOL\\[AppPoolName]" user is by default a member of the IIS_IUSRS group. So you need to grant write access to the IIS_IUSRS group – Be.St. Feb 15 '13 at 16:15
People on more recent versions of Windows may find this article useful for configuring 'AppPool\DefaultAppPool' account if they have a similar problem: http://www.iis.net/learn/manage/configuring-security/application-pool-identities. This also helps avoid the error which I got after updating from Windows 8 to 8.1, where is says: "An error occurred loading a configuration file: Failed to start monitoring changes to [full file path] because access is denied.". – Matty J Apr 16 '14 at 05:49
I have gave full permission to the Application Pool .. but still getting the denied access. – Yousi Oct 09 '14 at 12:41

score 26 · Answer 2 · edited Nov 23 '15 at 14:35

26

http://forums.iis.net/t/1187650.aspx has the answer. Setting the iis authentication to appliction pool identity will resolve this.

In IIS Authentication, Anonymous Authentication was set to "Specific User". When I changed it to Application Pool, I can access the site.

To set, click on your website in IIS and double-click "Authentication". Right-click on "Anonymous Authentication" and click "Edit..." option. Switch from "Specific User" to "Application pool identity". Now you should be able to set file and folder permissions using the IIS AppPool\{Your App Pool Name}.

edited Nov 23 '15 at 14:35

David

812
1
10
26

answered Feb 13 '15 at 14:32

Nat

269
3
2

3

This helped tremendously. If you do not change the Anonymous Authentication from "Specific User" to "Application pool identity" your permission changes will not reflect when setting the IIS AppPool\{Your App Pool Name} permissions. – David Nov 23 '15 at 13:40
OH MY GOD. No one seems to pickup on this. This just solved hours of digging. – Joe Swindell Mar 29 '17 at 12:26
+1 for teaching me how to fish. Finding out what user IIS uses is more valuable than stating what the user currently is in a specific version of IIS. – Remi Despres-Smyth Mar 03 '21 at 18:01

score 19 · Answer 3 · answered Jul 26 '13 at 17:02

19

Running IIS 7.5, I had luck adding permissions for the local computer user IUSR. The app pool user didn't work.

answered Jul 26 '13 at 17:02

Kenny Evitt

8,023
5
59
84

score 18 · Answer 4 · edited Oct 26 '16 at 10:04

18

If it's any help to anyone, give permission to "IIS_IUSRS" group.

Note that if you can't find "IIS_IUSRS", try prepending it with your server's name, like "MySexyServer\IIS_IUSRS".

edited Oct 26 '16 at 10:04

Pierre Arlaud

3,644
3
26
38

answered Nov 19 '15 at 17:47

JohnnyFun

3,068
2
15
15

This did it for me. I was missing the server name and had not seen anyone mention that yet. – drichardson Dec 06 '16 at 18:09
For that you could always use the local notation ".\IIS_IUSRS" – Bernhard Jan 22 '20 at 13:17

score 3 · Answer 5 · answered May 30 '19 at 01:42

3

Worked for me in 30 seconds, short and sweet:

In IIS Manager (run inetmgr)
Go to ApplicationPool -> Advanced Settings
Set ApplicationPoolIdentity to NetworkService
Go to the file, right click properties, go to security, click edit, click add, enter Network Service (with space, then click 'check names'), and give full control (or just whatever permissions you need)

answered May 30 '19 at 01:42

Jason Hitchings

578
6
9

That did it! Thanks – Yazan Khalaileh Oct 03 '19 at 21:15

score 1 · Answer 6 · answered Jan 19 '16 at 14:03

Working on IIS 7.5 and Windows 7 i couldnt give permission APPPOOL/Mypool
IUSR and IIS_IUSRS permissions not working for me
I got to problem this way:

-Created console application with C#
-This appliaction using createeventsource like this

if(!System.Diagnostics.EventLog.SourceExists(sourceName)) System.Diagnostics.EventLog.CreateEventSource(sourceName,logName);

-Build solution and get .exe file

-Run exe as administator.This create log file.

NOTE: Dont remember Event viewer must be refresh for see the log.

I hope this solution helps someone :)

IIS7 folder permissions for web application

6 Answers6

Linked