When working with IIS 7 on Windows Server 2008, the ApplicationPoolIdentity represents a significant security improvement over traditional service accounts. Unlike NetworkService, this virtual account is automatically created when you set up an application pool and exists only in the context of that specific pool.
The main obstacle developers face is that ApplicationPoolIdentity doesn't appear in the standard GUI permission dialogs. This occurs because:
- It's a virtual account, not stored in the local user database
- The Windows Server 2008 object picker doesn't recognize these identities
- The account name follows the pattern "IIS AppPool\YourPoolName"
The most reliable method is using command-line tools. Here's how to grant permissions using icacls:
icacls "C:\YourWebsiteDirectory" /grant "IIS AppPool\YourAppPoolName":(OI)(CI)(RX)
This command grants:
- (OI) - Object inherit (applies to files)
- (CI) - Container inherit (applies to folders)
- (RX) - Read and execute permissions
For Windows Server 2008 R2 and later, PowerShell provides more flexibility:
$acl = Get-Acl "C:\YourWebsiteDirectory"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\YourAppPoolName","ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($accessRule)
Set-Acl "C:\YourWebsiteDirectory" $acl
Here are typical permission requirements for different scenarios:
| Scenario | Recommended Permissions |
|---|---|
| Static content | Read & Execute |
| File uploads | Modify (on specific folders) |
| Database access | Read/Write (for DB files) |
| Temporary files | Full Control (limited to temp folder) |
If permissions aren't working as expected:
- Verify the exact application pool name (case-sensitive)
- Check for inheritance conflicts with parent folders
- Use Process Monitor to trace access denied errors
- Consider adding "IIS_IUSRS" as a secondary group if needed
For complex scenarios, you might need to modify the applicationHost.config file:
<applicationPools>
<add name="YourAppPoolName" managedRuntimeVersion="v4.0">
<processModel identityType="ApplicationPoolIdentity" />
</add>
</applicationPools>
Remember to run IISRESET after making changes to applicationHost.config.
In IIS 7 and later versions, ApplicationPoolIdentity is a built-in account that runs application pools with minimal privileges. Unlike traditional service accounts, it doesn't appear in the standard user management interfaces because it's a virtual account dynamically created for each application pool.
Many administrators face difficulties when trying to assign filesystem permissions to ApplicationPoolIdentity through the GUI. The account doesn't appear in the object picker dialog, making it impossible to select via the standard Windows security interface.
The most reliable method is using the icacls command-line tool. Here's the basic syntax:
icacls "C:\Your\Folder\Path" /grant "IIS AppPool\YourAppPoolName":(OI)(CI)(M)
Example for granting modify permissions to DefaultAppPool:
icacls "C:\Websites\MySite" /grant "IIS AppPool\DefaultAppPool":(OI)(CI)(M)
(OI): Object inherit - applies to files in the directory(CI): Container inherit - applies to subdirectories(M): Modify permission (includes read, write, execute, delete)
For Windows Server 2008 R2 and later, you can use PowerShell:
$acl = Get-Acl "C:\Websites\MySite"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\DefaultAppPool", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl "C:\Websites\MySite" $acl
After applying permissions, verify them with:
icacls "C:\Websites\MySite"
Or in PowerShell:
(Get-Acl "C:\Websites\MySite").Access | Where-Object {$_.IdentityReference -like "*AppPool*"}
For network shares or UNC paths, you might need to use the SID format:
icacls "\\Server\Share" /grant *S-1-5-82-3006700770-424185619-0303000000-1000:(OI)(CI)(M)
To find the SID for your application pool identity:
wmic useraccount where "name='IIS APPPOOL\\DefaultAppPool'" get sid