Lawrence Avery
asked on
IIS_IUSRS group and Users group for IIS---- WCF Service usage
Does IIS_IUSRS group implicitly belong to the USERS group on windows 7 ?
Why I ask is--- if I assign either IIS_USRS or Users to a folder that contains my WCF Service, the service runs fine. If I remove both of them having access to my WCF Service folder, I receive the following:
Exception: System.IO.FileLoadExceptio n
Message: Could not load file or assembly 'System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d 50a3a' or one of its dependencies. Access is denied.
My folder that contains the WCF Service is not under c:\inetpub\wwwroot but under a folder I created through Visual Studio.
Special note: The IIS 7.5 runs under IIS_USRS user group member IIS APPPOOL\DefaultAppPool. Also the System.Web folder gives access to the Users group but not the IIS_IUSRS group.
Why I ask is--- if I assign either IIS_USRS or Users to a folder that contains my WCF Service, the service runs fine. If I remove both of them having access to my WCF Service folder, I receive the following:
Exception: System.IO.FileLoadExceptio
Message: Could not load file or assembly 'System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d
My folder that contains the WCF Service is not under c:\inetpub\wwwroot but under a folder I created through Visual Studio.
Special note: The IIS 7.5 runs under IIS_USRS user group member IIS APPPOOL\DefaultAppPool. Also the System.Web folder gives access to the Users group but not the IIS_IUSRS group.
ASKER
I just happen to notice when I had the USERS group access only for my application folder, my application still worked. And then my curiosity set in knowing my application was running under a IIS_USRS group member and my folder did not have IIS_USRS group assigned.
So bottom line, when I removed both IIS_USRS and USERS , my application would fail.
However, having either group my application would work.
So that made me think IIS_USRS must be somehow associated with the USERS group.
It almost seems like IIS_USRS is also part of the USERS group.
So bottom line, when I removed both IIS_USRS and USERS , my application would fail.
However, having either group my application would work.
So that made me think IIS_USRS must be somehow associated with the USERS group.
It almost seems like IIS_USRS is also part of the USERS group.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent. Thank you.
AFAIK IIS_IUSRS is a buildin group like users but members of IIS_IUSRS have more rights than standard users do.
This built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.
Why would you even consider removing IIS_IUSRS rights set by IIS?