What permissions does Network Service require on Vista / IIS7?

Question

Doing some more tinkering with development on VS2008/Vista/IIS7, I'm wondering at a few things regarding the Network Service account. It had no issues running my website until I attempted to set up the Sql Role Membership Provider, which creates a local database in the App_Data folder. Somewhere in there, Network Service ran out of the permissions needed to auhenticate my client.

I solved the problem by changing the app pool to run under my admin account (and later by granting Network Service admin permissions for now), but I'm curious as to what permissions Network Service is missing as I'd ultimately like to keep it (and my sites) out of the admin group. Any ideas?

Also, where's a good place to go debug this stuff? EventLogs have nothing useful, so I'm not sure where else would be a good place to find out when an account tries to do something and is denied. Maybe I just don't have the logs configured properly?

Thanks!

Answer 1

Oddly enough, it looks like gving Network Service write access to the folder containing the mdb file wasn't enough. It apparently wants read access to everything under the "Documents\Visual Studio 2008 directory" as well (the site is hosted from within that directory). Seems ok now. Thanks ProcessMonitor!