IIS 7 and Above
write permissions problem with IIS7 on Windows 2008
Last post Feb 20, 2008 09:23 AM by Babscoole
Feb 19, 2008 11:53 PM|Babscoole|LINK
Trying to setup a PHP based open-source CRM called Joomla on IIS7 in Windows Server 2008. I installed the latest versions of PHP5 and MySQL. Using ISAPI. Everything displays fine, but many parts of Joomla require write access to certain files and directories
and this is not working. I've installed Joomla to a child directory of the default inetpub/wwwroot. To make things a bit easier to track, I'm centering on one specific file, configuration.php, to get this issue solved. At first I tried playing with granular
permission settings, but quickly became frustrated. Now, I've given Full Control permissions to both the IIS_IUSRS group and to the NetworkServices account for this file, but still can't write. Any guidance on how to solve this issue would be appreciated.
Feb 20, 2008 01:32 AM|steve schofield|LINK
Use process monitor to detect which folders are being denied. This is a combo tool now that used to be filemon / regmon. This is where I would start.
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Feb 20, 2008 09:23 AM|Babscoole|LINK
ProcessMon told me that W3WP running as NetworkService was having the issue. Doesn't quite make sense given the fix/workaround I tried this morning. At the site level, under authentication, I changed the Anonymous user identity from the default Specific
User (IUSR) to Application Pool Identity (NetworkService by default, left it set as that). Once I did that, writes to the file began working. To my way of thinking it should have worked before since the IIS_IUSR group had full perms.
Even stranger, I then looked at a directory that had to be written into. At first, writes failed. I took a look at the directory NTFS perms. NetworkServices not in the list, elevated the IIS_USRS group permissions and writes to here started working.
Given the change I made above, it should have been NetworkServices that needed to be added, not IIS_USRS needing adjustment.
Doesn't seem to be much rhyme or reason as to when or why IIS_USRS or NetworkServices is used to access a given object using IIS7 and they both seem to apply regardless of any authentication impersonation set.