Setting IIS application pool permissions
Whenever I need to set permissions for a web CMS to write files to a folder in Windows, it takes me some Googling to remind myself of the name of the app pool user name. After much frustration last week — when setting up a PHP site in IIS — I thought I’d write some reference notes for next time.
Optional step 0 (if a PHP site): You can save yourself a bit of trial and error by discovering which account is used by the site. See Tristan’s answer here.
Step 1: Make sure the identity of the site’s app pool is ApplicationPoolIdentity (rather than the probable default of NetworkService).
Step 2: Give the app pool user permissions on the folder…
a) This can sometimes be done via the GUI: Right-click folder, open Properties, go to Security tab, Edit, Add. Set the location to COMPUTERNAME. The object name to enter in the box will be:
b) If Windows doesn’t recognise the user, you can do it via the command line (running as Administrator):
icacls D:\websites\mysite /grant "IIS APPPOOL\NameOfAppPool:M"
(I saw a few answers on StackOverflow that had the :M outside of the quotes but when I tried that icacls failed with “invalid parameter” error.)
When I ran this command it did add the user to the folder but I still had to set the actual permissions via the GUI. According to the icacls documentation, :M should set modify permissions so I expect I also needed to include one of the inheritance options like :(OI)(CI)M. I’ll try this next time.
Step 3: Test and if it isn’t working at this point, just be annoyed you didn’t do Step 0. I did all of the above and was getting frustrated that the CMS was still failing to write files. It turns out that I actually needed to add the IUSR account with write permissions. I was able to do that quick and easy via the permissions GUI.
That’s it. Let me know if you found this helpful.