Grant User Rights to a Service Account

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Typically, the user rights assigned to the IIS_WPG group is sufficient for most Web sites or applications. However, when a Web site or application requires additional user rights to run properly, you must assign the required rights to the service account that is used as the identity for the Web sites and applications.

You grant user rights based on where the account is stored. If the service account is created locally on the Web server, you make changes in user rights through Local Computer Policy by using the Group Policy Object Editor MMC snap-in. When the service account is created in Active Directory, make the changes on the appropriate Group Policy object in Active Directory.

Requirements

  • Credentials: Membership in the Administrators group on the local computer.

  • Tools: Iis.msc.

Recommendation

As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type **runas /user:**administrative_accountname mmc %systemroot%\system32\inetsrv\iis.msc.

Procedures

To add the Group Policy Object Editor to MMC

  1. In the Run dialog box, type mmc, and then click OK.

    The Microsoft Management Console appears.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list box, click Group Policy Object Editor, and then click Add.

  5. In the Select Group Policy Object dialog box, in Group Policy Object, select Local Computer, and then click Finish.

  6. Click Close, and then click OK.

To grant user rights to a service account when the service account is stored locally on the Web server

  1. In MMC, open the Group Policy Object Editor.

  2. In the console tree, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

  3. In the details pane, double-click the user right that you want to grant to the service account.

  4. In the user_right Properties dialog box (where user_right is the user right you selected in Step 3), click Add User or Group.

  5. In the Select Users, Computers, or Group dialog box, type the name of the service account, and then click OK.

  6. In the user_right Properties dialog box (where user_right is the user right you selected in Step 3), click OK.

To grant user rights to a service account when the service account is stored in Active Directory

  1. In MMC, open Active Directory Users and Computers.

  2. In the console tree, browse to the organizational unit that contains the Group Policy object that you want to modify, right click the organizational unit, and then click Properties.

  3. In the organizational_unit Properties dialog box (where organizational_unit is the organizational unit you selected in Step 2), click the Group Policy tab.

  4. Select the Group Policy object that you want to modify, and then click Edit.

    The Group Policy Object Editor appears.

  5. In the console tree, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

  6. In the details pane, double-click the user right that you want to grant to the service account.

  7. In the user_right Properties dialog box (where user_right is the user right you selected in Step 3), click Add User or Group.

  8. In the Select Users, Computers, or Group dialog box, type the name of the service account, and then click OK.

  9. In the user_right Properties dialog box (where user_right is the user right you selected in Step 3), click OK.

  10. Close the Group Policy Object Editor.

  11. Click OK.