IIS7 folder permissions for web application

Question

I am using windows authentication without impersonation on my company's intranet website with IIS7.

Under IIS7, what account is used to access the folder which contains my web app using these settings?

Would it be IIS_IUSRS? Or NETWORK SERVICE? Or another I don't know about?

Possible duplicate of [IIS AppPoolIdentity and file system write access permissions](https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions) — KyleMit, Oct 24 '17 at 18:44

score 148 · Accepted Answer · edited Feb 18 '22 at 18:55

148

In IIS 7 (not IIS 7.5), sites access files and folders based on the account set on the application pool for the site. By default, in IIS7, this account is NETWORK SERVICE.

Specify an Identity for an Application Pool (IIS 7)

In IIS 7.5 (Windows 2008 R2 and Windows 7), the application pools run under the ApplicationPoolIdentity which is created when the application pool starts. If you want to set ACLS for this account, you need to choose IIS AppPool\<yourpoolname> instead of NT Authority\Network Service.

edited Feb 18 '22 at 18:55

Nate Anderson

18,334
18
100
135

answered Mar 28 '10 at 06:46

Thomas

63,911
12
95
141

39

Note that it's not literally `IIS AppPool\ApplicationPoolName` , but `IIS AppPool\`. – Jeff S Dec 09 '12 at 07:44
22

In IIS 7.5, the default Identity for an Application Pool is ApplicationPoolIdentity. ApplicationPoolIdentity represents a Windows user account called "IIS APPPOOL\AppPoolName", which is created when the Application Pool is created, where AppPoolName is the name of the Application Pool. The "IIS APPPOOL\\[AppPoolName]" user is by default a member of the IIS_IUSRS group. So you need to grant write access to the IIS_IUSRS group – Be.St. Feb 15 '13 at 16:15
People on more recent versions of Windows may find this article useful for configuring 'AppPool\DefaultAppPool' account if they have a similar problem: http://www.iis.net/learn/manage/configuring-security/application-pool-identities. This also helps avoid the error which I got after updating from Windows 8 to 8.1, where is says: "An error occurred loading a configuration file: Failed to start monitoring changes to [full file path] because access is denied.". – Matty J Apr 16 '14 at 05:49
1

I have gave full permission to the Application Pool .. but still getting the denied access. – Yousi Oct 09 '14 at 12:41

score 30 · Answer 2 · edited Nov 23 '15 at 14:35

30

http://forums.iis.net/t/1187650.aspx has the answer. Setting the iis authentication to appliction pool identity will resolve this.

In IIS Authentication, Anonymous Authentication was set to "Specific User". When I changed it to Application Pool, I can access the site.

To set, click on your website in IIS and double-click "Authentication". Right-click on "Anonymous Authentication" and click "Edit..." option. Switch from "Specific User" to "Application pool identity". Now you should be able to set file and folder permissions using the IIS AppPool\{Your App Pool Name}.

edited Nov 23 '15 at 14:35

David

834
1
10
27

answered Feb 13 '15 at 14:32

Nat

309
3
2

3

This helped tremendously. If you do not change the Anonymous Authentication from "Specific User" to "Application pool identity" your permission changes will not reflect when setting the IIS AppPool\{Your App Pool Name} permissions. – David Nov 23 '15 at 13:40
OH MY GOD. No one seems to pickup on this. This just solved hours of digging. – Joe Swindell Mar 29 '17 at 12:26
+1 for teaching me how to fish. Finding out what user IIS uses is more valuable than stating what the user currently is in a specific version of IIS. – Remi Despres-Smyth Mar 03 '21 at 18:01

score 28 · Answer 3 · edited Oct 26 '16 at 10:04

28

If it's any help to anyone, give permission to "IIS_IUSRS" group.

Note that if you can't find "IIS_IUSRS", try prepending it with your server's name, like "MySexyServer\IIS_IUSRS".

edited Oct 26 '16 at 10:04

Pierre Arlaud

4,040
3
28
42

answered Nov 19 '15 at 17:47

JohnnyFun

3,975
2
20
20

This did it for me. I was missing the server name and had not seen anyone mention that yet. – drichardson Dec 06 '16 at 18:09
For that you could always use the local notation ".\IIS_IUSRS" – Bernhard Jan 22 '20 at 13:17
cool server name – ahmed mani Apr 21 '22 at 21:10

score 21 · Answer 4 · answered Jul 26 '13 at 17:02

21

Running IIS 7.5, I had luck adding permissions for the local computer user IUSR. The app pool user didn't work.

answered Jul 26 '13 at 17:02

Kenny Evitt

9,291
5
65
93

score 7 · Answer 5 · answered May 30 '19 at 01:42

7

Worked for me in 30 seconds, short and sweet:

In IIS Manager (run inetmgr)
Go to ApplicationPool -> Advanced Settings
Set ApplicationPoolIdentity to NetworkService
Go to the file, right click properties, go to security, click edit, click add, enter Network Service (with space, then click 'check names'), and give full control (or just whatever permissions you need)

answered May 30 '19 at 01:42

Jason Hitchings

667
8
10

That did it! Thanks – Yazan Khalaileh Oct 03 '19 at 21:15

score 1 · Answer 6 · answered Jan 19 '16 at 14:03

Working on IIS 7.5 and Windows 7 i couldnt give permission APPPOOL/Mypool
IUSR and IIS_IUSRS permissions not working for me
I got to problem this way:

-Created console application with C#
-This appliaction using createeventsource like this

if(!System.Diagnostics.EventLog.SourceExists(sourceName)) System.Diagnostics.EventLog.CreateEventSource(sourceName,logName);

-Build solution and get .exe file

-Run exe as administator.This create log file.

NOTE: Dont remember Event viewer must be refresh for see the log.

I hope this solution helps someone :)

score 1 · Answer 7 · answered Jul 22 '21 at 11:02

1

Read/Write permission for Web host application using IIS follow following step:-

1)Check the Application pool for the Site

2)Go to Application Pool and Check the Identity of the Site.

3)Explorer the Site and go to the main folder and right-click on that folder.

4)Go to Security Tab and click on the Edit button and then click on the user Identity and below you can see the multiple check box options which you want to provide permission for authenticated users after selecting the check box click on save.

answered Jul 22 '21 at 11:02

Abhay.Patil

663
1
6
14

1

The image for "2)" should show the Application Pool name referenced in the images for entry "1)", currently it shows other pools and should show "Test". The image for entry "4)" should include the user/group that is needed. I don't see how editing "CREATOR OWNER" is going to impact the access used by the Application Pool or IUSR or IIS_IUSRS. – ChrisHiebert Nov 29 '21 at 16:56
I agree with @ChrisHiebert , it seems like you might be missing Step 5) Screenshot... Why do we do Step 1), or 2)? – Nate Anderson Feb 18 '22 at 19:00

IIS7 folder permissions for web application

7 Answers7

Linked