• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1292
  • Last Modified:

IIS_IUSRS group and Users group for IIS---- WCF Service usage

Does IIS_IUSRS  group implicitly belong to the USERS group on windows 7 ?

Why I ask is--- if I assign either IIS_USRS or Users to a folder that contains my WCF Service, the service runs fine. If I remove both of them having access to my WCF Service folder, I receive the following:

Exception: System.IO.FileLoadException

Message: Could not load file or assembly 'System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. Access is denied.

My folder that contains the WCF Service is not under c:\inetpub\wwwroot but under a folder I created through Visual Studio.

Special note: The IIS 7.5 runs under  IIS_USRS user group member  IIS APPPOOL\DefaultAppPool. Also the System.Web folder gives access to the Users group but not the IIS_IUSRS  group.
  • 2
  • 2
1 Solution
Patrick BogersDatacenter platform engineer LindowsCommented:

AFAIK IIS_IUSRS is a buildin group like users but members of IIS_IUSRS have more rights than standard users do.
This built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

Why would you even consider removing IIS_IUSRS rights set by IIS?
metro156Author Commented:
I just happen to notice when I had the USERS group access only for my application folder, my application still worked. And then my curiosity set in knowing my application was running under a IIS_USRS group member and my folder did not have IIS_USRS group assigned.

So bottom line, when I removed both IIS_USRS and USERS , my application would fail.
However, having either group  my application would work.

So that made me think IIS_USRS must be somehow associated with the USERS group.  
It almost seems like IIS_USRS is also part of the USERS group.
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi Metro,

Since i had to log into my webserver rack i remembered your question.
I found "users" and "IIS_IUSRS" are both member of "NT\authenticated users" so this would explain your findings.

Still! remember this can mean "IIS_IUSRS" has more rights then "USERS".

metro156Author Commented:
Excellent. Thank you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now