Setting IIS application pool permissions

Whenever I need to set permissions for a web CMS to write files to a folder in Windows, it takes me some Googling to remind myself of the name of the app pool user name. After much frustration last week — when setting up a PHP site in IIS — I thought I’d write some reference notes for next time.

Optional step 0 (if a PHP site): You can save yourself a bit of trial and error by discovering which account is used by the site. See Tristan’s answer here.

Step 1: Make sure the identity of the site’s app pool is ApplicationPoolIdentity (rather than the probable default of NetworkService).

Step 2: Give the app pool user permissions on the folder…

a) This can sometimes be done via the GUI: Right-click folder, open Properties, go to Security tab, Edit, Add. Set the location to COMPUTERNAME. The object name to enter in the box will be:
IIS APPPOOL\NameOfAppPool

b) If Windows doesn’t recognise the user, you can do it via the command line (running as Administrator):

icacls D:\websites\mysite /grant "IIS APPPOOL\NameOfAppPool:M"

(I saw a few answers on StackOverflow that had the :M outside of the quotes but when I tried that icacls failed with “invalid parameter” error.)

When I ran this command it did add the user to the folder but I still had to set the actual permissions via the GUI. According to the icacls documentation, :M should set modify permissions so I expect I also needed to include one of the inheritance options like :(OI)(CI)M. I’ll try this next time.

Step 3: Test and if it isn’t working at this point, just be annoyed you didn’t do Step 0. I did all of the above and was getting frustrated that the CMS was still failing to write files. It turns out that I actually needed to add the IUSR account with write permissions. I was able to do that quick and easy via the permissions GUI.

That’s it. Let me know if you found this helpful.