Ensure that IIS AppPool user is added to windows group

Question

I am trying to deploy an ASP.NET application to IIS using Powershell (run by Ansible).

I want my application to be able to query the performance counters so I am adding it to the Performance Monitor Users using this Powershell script:

appPoolName=$args[0]

$group = [ADSI]"WinNT://$Env:ComputerName/Performance Monitor Users,group"

$ntAccount = New-Object System.Security.Principal.NTAccount("IIS AppPool\$appPoolName")
$strSID = $ntAccount.Translate([System.Security.Principal.SecurityIdentifier])
$user = [ADSI]"WinNT://$strSID"

$group.Add($user.Path)

It actually comes from another SO question: Add IIS AppPool\\ASP.NET v4.0 to local windows group .

After the deployment, it can happen that the user is added to the group but the application still can't access the performance counters.

The script is run just before starting the App Pool and the application. I have tried the following things, without success:

• Restart the application
• Restart the App Pool
• Set AnonymousAuthentication to 'Application pool identity'
• Deploy again

I have modified my deployment scripts in the following ways, without success:

• Remove the user from the group before adding it
• Restart the App Pool after adding the user. IIS actually complains ("The service cannot accept messages at this time").
• Add the user to the group after starting the application
• Add the user to the group at the beginning of the deploy (before stopping the application and pool)

The only way I have to solve my problem is to restart the machine. I would like to know if there is a better one!

If it is possible, I think making the App Pool user log off and back on would solve my problem. I haven't found how to do that (restarting or recycling the App Pool doesn't work).

Answer 1

答案是一个简单的iisreset （在命令行或 Powershell 中）。