Giving the App Pool Identity folder permissions in IIS7 on Windows Server 2008 (First Release)

When setting up a new Application Pool in IIS7 the default user (or identity) is ApplicationPoolIdentity which is a specific user account with minimal rights, created specifically for that application pool to run under the context of that user.

In Windows Server 2008 (the Vanilla version, as this is ‘slightly fixed’ in R2) you will struggle to assign your App Pools user permissions on your website directories (including any web applications that use this application pool!) simply because they do not appear in the user picker that is shown on the security tab of folder properties. It is documented that you should enter “IIS APPPOOL<App Pool Name>” into the object names box in order to assign that user permissions on your website directory.

Click ‘Check Names’ and the Application Pool User will not be found…

The only way to do this on Vanilla Windows Server 2008 is to use the ICACLS command line utility. You can then use the Security tab on the folder properties dialog to further modify the permissions.

More information on this subject…

• Issue and resolution on Serverfault.com
• New in IIS 7 – App Pool Isolation
• Application Pool Identities on IIS.net