Setting IIS application pool permissions

Whenever I need to set permissions for a web CMS to write files to a folder in Windows, it takes me some Googling to remind myself of the name of the app pool user name. After much frustration last week — when setting up a PHP site in IIS — I thought I’d write some reference notes for next time.

Optional step 0 (if a PHP site): You can save yourself a bit of trial and error by discovering which account is used by the site. See Tristan’s answer here.

Step 1: Make sure the identity of the site’s app pool is ApplicationPoolIdentity (rather than the probable default of NetworkService).

Step 2: Give the app pool user permissions on the folder…

a) This can sometimes be done via the GUI: Right-click folder, open Properties, go to Security tab, Edit, Add. Set the location to COMPUTERNAME. The object name to enter in the box will be:
IIS APPPOOL\NameOfAppPool

b) If Windows doesn’t recognise the user, you can do it via the command line (running as Administrator):

icacls D:\websites\mysite /grant "IIS APPPOOL\NameOfAppPool:M"

(I saw a few answers on StackOverflow that had the :M outside of the quotes but when I tried that icacls failed with “invalid parameter” error.)

When I ran this command it did add the user to the folder but I still had to set the actual permissions via the GUI. According to the icacls documentation, :M should set modify permissions so I expect I also needed to include one of the inheritance options like :(OI)(CI)M. I’ll try this next time.

Step 3: Test and if it isn’t working at this point, just be annoyed you didn’t do Step 0. I did all of the above and was getting frustrated that the CMS was still failing to write files. It turns out that I actually needed to add the IUSR account with write permissions. I was able to do that quick and easy via the permissions GUI.

That’s it. Let me know if you found this helpful.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.