Iis7 User Rights Assignment Policy

Hi yatajga,

There have a blog, maybe helps:

The following is the solution:

1. Add the Domain Account to the IIS_WPG group on the Machine running IIS.    (This group is the worker Process group which contains the Accounts, allowed to run the IIS worker process.)

2. Goto Start> Run and type secpol.msc . Hit OK. The Local Security Settings console will open up. Under Security Settings, expand Local Policies and Click User Rights Assignment. Double click Log on as a service in the right pane. Add the domain account if not already listed. Click OK and exit the console.     (It enabled the Domain account to register a process as a service.)

Hope it helps.

Best Regards,
Terry Guo

We have an active directory domain (let's call it ) and a domain user account () used for the IIS application pool identity.

We want to run the app pool under this user account and not under or the new as we have to access SQL server and have multiple applications on IIS (with own app pools) accessing different databases.

The problem is that I can't find a clear HOW-TO explaining, which user rights have to be set for this user account and how IIS has to be setup so that this will work.

First I got errors (unfortunately I can't remember which ones), then I added to the local admin group (, I know, was only to test), then it worked. Now I removed the user again, restarted IIS and it still works.

So I'm confused a bit and would like to know, how the configuration/setup has to be to have it working.

Somwhere I read, that the account needs to have the "Impersonate a client after authentication" user right. That's the reason I added the account to the Admin group (the user rights assignment is blocked via group policy, but this can for sure be changed if really needed.

I hope I was clear enough what the question is and hope somebody has an answer.


0 thoughts on “Iis7 User Rights Assignment Policy”


Leave a Comment

Your email address will not be published. Required fields are marked *