Forum Discussion

Vinay1680's avatar
Vinay1680
Copper Contributor
Jul 12, 2023

create customized user group for IIS similar to IUSR and IIS_IUSRS

Is it possibe to create customized user group for IIS similar to IUSR and IIS_IUSRS.
So that we can users to those whom we want to give access to site deployed on IIS and will be removing IUSR and IIS_IUSRS from permission of the folder or site.

IIS
url authorization rules
  • MattHamrick's avatar
    MattHamrick
    Icon for Microsoft rankMicrosoft
    Jul 25, 2023
    IUSR is an account only used for anonymous authentication - it's not used anywhere else. This is because every request must have some user context, so IIS uses IUSR by default when the inbound request doesn't have anything.
    IIS_IUSRS is a group only used for application pool accounts - WAS dynamically retrieves the token for this when a worker process is starting and assigns it to the app pool account, so anything that group has access to, the worker processes can also access.

    That being said, you can use whatever accounts or principals you want, as long as they have appropriate permissions. You can change the anonymous account to something else besides IUSR, and the app pool account/identity just needs permission to the folder being hosted so the worker process can actually access content.

Resources