Actually they are not the same :) http://support.microsoft.com/kb/243330
Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Ken Schaefer Sent: Tuesday, 19 July 2011 5:51 PM To: ozDotNet Subject: RE: Web Service Application Pool Identity Hi Those are the same. IIS_IUSRS is a group. IIS dynamically puts your web app pool identity into that group. However if you grant read/write access to a folder to that group, then any other website running on the server would also have access. If we are talking about IIS7 / IIS 7.5, then IIS dynamically creates an on-demand identity for the app pool (if you don't manually pick a user). It's IIS AppPool\<AppPoolName> (e.g. IIS AppPool\DefaultAppPool). You can use icacls.exe to give that account permissions to the particular folder. That would allow your app to read/write to that folder, but not other applications on the server. You'd need to ensure that your app is the only one in that app pool. http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx has some pictures that might make it a bit clearer. Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]]<mailto:[mailto:[email protected]]> On Behalf Of Peter Maddin Sent: Tuesday, 19 July 2011 5:41 PM To: 'ozDotNet' Subject: RE: Web Service Application Pool Identity Ok Thanks Out of curiosity where did you learn that? I have found trying to decode some of this stuff quite difficult. Also if you know what is the difference between SERVICE and LOCAL SERVICE and NETWORK and NETWORK SERVICE? Are they different or are they synonyms? Regards Peter From: [email protected]<mailto:[email protected]> [mailto:[email protected]]<mailto:[mailto:[email protected]]> On Behalf Of Jorke Odolphi Sent: Tuesday, 19 July 2011 5:25 PM To: ozDotNet Subject: RE: Web Service Application Pool Identity IIS_IUSRS From: [email protected]<mailto:[email protected]> [mailto:[email protected]]<mailto:[mailto:[email protected]]> On Behalf Of Peter Maddin Sent: Tuesday, 19 July 2011 6:01 PM To: 'ozDotNet' Subject: Web Service Application Pool Identity I am trying to get a handle on the in-built accounts used for Application pools used by a web service. The default identity for DefaultAppPool is ApplicationPoolIdentity. My web service needs read and write access to folders on the server hosting IIS. What does the ApplicationPoolIdentity identity map to when one is selecting users and groups for a folder/file? One can change the Identity to * LocalSystem I guess this maps to SYSTEM * LocalService I guess this maps to SERVICE but it could also map to LOCAL SERVICE. * NetworkService I guess this maps NETWORK or NETWORK SERVICE. Currently I am using LocalSystem. Is this the best option? What is ApplicationPoolIdentity? What does one use when one is selecting users and groups that maps to ApplicationPoolIdentity? Any demystification greatly appreciated. Regards Peter Maddin Applications Development Officer PathWest Laboratory Medicine WA Phone : +618 6396 4285 Mobile: 0414 240 307 E-Mail : [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> The contents of this e-mail transmission outside of the WAGHS network are intended solely for the named recipient's), may be confidential, and may be privileged or otherwise protected from disclosure in the public interest. The use, reproduction, disclosure or distribution of the contents of this e-mail transmission by any person other than the named recipient(s) is prohibited. If you are not a named recipient please notify the sender immediately.
