WIndows Server 2012 & IIS 8.5 System32 and SysWow64 Folder Ownership Problem
Out of the box Windows Server 2012 creates system folders System32 & SysWow64 and makes them owned by TrustedInstaller.
So you want to run the server as a Webserver and register your application DLLs on the server. In order to do this you need to create a website with an Application Pool that has an identity. So you can use inbuilt user ISUR or create a new user and make it part of the user group IIS_IUSRS group.
So you have a problem as you need to give ISUR or the IIS_IUSRS group Read and Read & Execute permissions on the System32 & SysWow64 but the machine Administrator is unable to do this.
First you must take ownership of these folders and replace the TrustedInstaller with the real machine Administrator. You can then grant access to the ISUR etc.
I am presuming that this is the only way you can setup a webserver or am I missing something? There is a lot of advice suggesting that taking ownership of System32 is not a good idea. But I cannot see any other way of doing it?
So you want to run the server as a Webserver and register your application DLLs on the server. In order to do this you need to create a website with an Application Pool that has an identity. So you can use inbuilt user ISUR or create a new user and make it part of the user group IIS_IUSRS group.
So you have a problem as you need to give ISUR or the IIS_IUSRS group Read and Read & Execute permissions on the System32 & SysWow64 but the machine Administrator is unable to do this.
First you must take ownership of these folders and replace the TrustedInstaller with the real machine Administrator. You can then grant access to the ISUR etc.
I am presuming that this is the only way you can setup a webserver or am I missing something? There is a lot of advice suggesting that taking ownership of System32 is not a good idea. But I cannot see any other way of doing it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
David Johnson, CD
All users have read/execute permissions on these folders already
ASKER
Thanks for the information Dan. The snag is that some of the dlls are legacy 32bit apps that live in the SysWow64 folder.
It can be made to work by making the Application Poole Identity the machine Administrator but I do not like doing this.
And David thanks for that I see that the Machine\Users group is given read access to these system folder. So I have added the specific user accounts that I want to grant access to these folders to the Machine\Users group.
Lets see if it works.
It can be made to work by making the Application Poole Identity the machine Administrator but I do not like doing this.
And David thanks for that I see that the Machine\Users group is given read access to these system folder. So I have added the specific user accounts that I want to grant access to these folders to the Machine\Users group.
Lets see if it works.
Those 32bit DLLs do not need to be in the SysWoW64 folder. You need to enable 32bit for the AppPool to run as a 32bit process.
Reference link: http://blogs.msdn.com/b/rakkimk/archive/2007/11/03/iis7-running-32-bit-and-64-bit-asp-net-versions-at-the-same-time-on-different-worker-processes.aspx
Then the DLL can be moved to the application's bin directory.
Dan
Reference link: http://blogs.msdn.com/b/rakkimk/archive/2007/11/03/iis7-running-32-bit-and-64-bit-asp-net-versions-at-the-same-time-on-different-worker-processes.aspx
Then the DLL can be moved to the application's bin directory.
Dan
I've requested that this question be deleted for the following reason:
Not enough information to confirm an answer.
Not enough information to confirm an answer.
I disagree.
The question was able how to setup a website on IIS. For whatever reason, various system directories were assumed to be involved. An explanation was posted on how to properly setup a website on the specific version of the server OS and IIS.
An outlined setup was given along with several reference links to help move the issue along.
Thanks,
Dan
The question was able how to setup a website on IIS. For whatever reason, various system directories were assumed to be involved. An explanation was posted on how to properly setup a website on the specific version of the server OS and IIS.
An outlined setup was given along with several reference links to help move the issue along.
Thanks,
Dan
ASKER
I did find Dan's comments very useful although not the complete answer. Thanks Dan.
I wanted to use legacy products I was able to get them all working. MS of course said it cannot be done. With a bit of research, I created a script which would take ownership of all of the system folders which then allowed me to deploy the legacy components I wanted to. I was also able to grant permissions where I needed to and thus I was able to do the same in Windows 10 pro.
I created a script so that I could make it work on any machine anywhere whenever I needed.
takeown /f "C:\Windows\System32" /R /D Y
takeown /f "C:\Windows\SysWow64" /R /D Y
takeown /f "C:\Program Files" /R /D Y
takeown /f "C:\Program Files (x86)" /R /D Y
takeown /f "C:\Windows\System32\drive
takeown /f "C:\Windows\Resources" /R /D Y
takeown /f "C:\Windows\System32\inets
Then I used ICALS to grant relevant permissions to Administrators, Users and the legacy users that I needed like Interactive etc. Adding multiple users/groups per line made it much faster example:
icacls "C:\Windows\Resources" /grant Administrator:(OI)(CI)F /grant Administrators:(OI)(CI)F /T /C /Q
I was then able to install Office 97, Office 2000 & VB6 – unfortunately need to provide support for these old products. I can now interactively debug 32bit VB6 IIS DLLs on a 64bit machine. Which is where I needed to get to.
I wanted to use legacy products I was able to get them all working. MS of course said it cannot be done. With a bit of research, I created a script which would take ownership of all of the system folders which then allowed me to deploy the legacy components I wanted to. I was also able to grant permissions where I needed to and thus I was able to do the same in Windows 10 pro.
I created a script so that I could make it work on any machine anywhere whenever I needed.
takeown /f "C:\Windows\System32" /R /D Y
takeown /f "C:\Windows\SysWow64" /R /D Y
takeown /f "C:\Program Files" /R /D Y
takeown /f "C:\Program Files (x86)" /R /D Y
takeown /f "C:\Windows\System32\drive
takeown /f "C:\Windows\Resources" /R /D Y
takeown /f "C:\Windows\System32\inets
Then I used ICALS to grant relevant permissions to Administrators, Users and the legacy users that I needed like Interactive etc. Adding multiple users/groups per line made it much faster example:
icacls "C:\Windows\Resources" /grant Administrator:(OI)(CI)F /grant Administrators:(OI)(CI)F /T /C /Q
I was then able to install Office 97, Office 2000 & VB6 – unfortunately need to provide support for these old products. I can now interactively debug 32bit VB6 IIS DLLs on a 64bit machine. Which is where I needed to get to.