tags:

views:

1707

answers:

3

We are deleting images that have been uploaded to our server using an ASP.NET web page. The site is running under 'NT AUTHORITY\NETWORK SERVICE' in IIS.

On the IIS server we have created a local group 'Full_Access' that we have added the 'NT AUTHORITY\NETWORK SERVICE' to. This group has NTFS Modify permission enabled on the file.

When we delete the file from out app. The file does not get deleted.

If we add 'NT AUTHORITY\NETWORK SERVICE' file instead explicitly to the file and give modify permission instead of relying on it to inherit the permission from the local group it is in then it works just fine.

We have used the effective permissions check on the security tab and either way it supposedly has permission? But in actuality it only works if we directly give the service account permission?

Is there some reason 'NT AUTHORITY\NETWORK SERVICE' does not inherit the permissions of the local group it is in?

A: 

Add the group IIS_WPG to your 'Full_Access' group instead of NETWORK SERVICE.

From http://msdn.microsoft.com/en-us/library/ms998320.aspx :

Note If you need to allow the same level of access to a file resource for all accounts that run ASP.NET applications (Network Service or a custom service account), you can grant access to the IIS_WPG group instead of specifically to the Network Service account. Any account used to run ASP.NET is required to be a member of the IIS_WPG group.

FreddyB
You cant add a group to a group... Anyways...We originally tried adding 'IIS_WPG' to the file but that did not work. That is why we created the 'Full_Access' group.
ctrlShiftBryan
You're right. My bad. I misread your question. Any chance you can post cacls c:\path\to\wherever ?
FreddyB
A: 

Just a guess, but have you tried restarting the server?

The group membership is determined during the login process. The NETWORK SERVICE is actually the computer account. And I don't think that it work in the same way as other accounts. That is, it doesn't login when you start the application. The system account(which control the iis) just start the process under its identity. Which means that there is no login, and no group membership check.

Igal Serban
+1  A: 

Why don't you create a dedicated application pool and have it running under a regular user with the appropriate rights?

Otávio Décio