stackoom
  简体   繁体   中英

Using PowerShell to grant access to a folder for an “IIS AppPool”

 原文  2020-04-17 09:31:24       powershell/ iis/ application-pool

Question

I Writing a script to automate the deployment of my platform but i cant figure out how to set an app pool to have the permissions with the code i have below it just inserts the text below with the app pool name. I assume this is because this is a frendily name and when you click check names normally it will fetch the correct user but i cant figure out hot to do this in powershell.

function Set_iis_perms {
    param (
        [parameter(position=0)]
        $AppPoolName,
        [parameter(position=1)]
        $FileName
    )
    $acl = Get-Acl $FileName
    $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(("iis apppool\$Apppool_Name"),"Modify","Allow")))
    $acl | Set-Acl $FileName
}

Even if someone can point me in the right direction i would be most thankful.

Kind Regards Dom

1 answers

solution1
 0 ACCPTED  2020-04-19 07:45:36

Setting ACL via Get/Set-ACL and icacls is a really common thing and covered in many resources. Example(s):

Setting ACL on folder or file using PowerShell

This script will set folder permission on a folder (c:\1 and C:2) and its sub folder. If the folder does not exist, it will create the folder, set as shared and add the groups to the folder. Group_Name has to be replaced with Actual Group.

Application Pool Identities

Setting permissions for ASP.NET application on IIS with PowerShell

As per this StackOverflow Q&A

How can I add ACL permissions for IIS APPPOOL* accounts via Powershell? 

Set-Acl $directory $acl $user = New-Object
System.Security.Principal.NTAccount("$domain\\$username")

UPDATE: Seems that it won't accept the "IIS APPPOOL\AppPoolName" as an NTAccount identifier. Now, there are two ways to accomplish what you are trying to do:

Create a new SID object with the AppPoolIdentities SID and translate it into an NTAccount, like this: http://iformattable.blogspot.com/2007/12/convert-sid-to-ntaccount-with.html , and you should be able to treat it like any other NTAccount object. If you still want to be able to pass domain/usernames for real accounts, built in some simple logic that defaults to the AppPool SID if username is "AweSomeAppPool" and domain is empty, just as an example.

Use PowerShell to invoke icacls.exe, and use it to grant/revoke whatever permissions you want, like this (first normal icacls form command prompt, then powershell, notice the difference):

icacls.exe test.txt /grant "IIS AppPool\DefaultAppPool":(OI)(CI)M
cmd /c icacls test.txt /grant "IIS AppPool\DefaultAppPool:(OI)(CI)M"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I recycle an IIS AppPool with Powershell? Assign User to IIS AppPool via Powershell How to run IIS apppool recycle from powershell? Grant permissions to folder in Sharepoint library using Powershell? Powershell Grant IIS_IUSRS access to SMTP metabase How do I check if user 'IIS AppPool\MyAppPoolName' exists in powershell Access denied when using powershell on IIS webserver Grant AKS access to ACR using PowerShell ARM Cmdlets Azure SQL Grant Access for AD User using PowerShell and ServicePrincipal Grant IIS 7.5 Application Pool Read Permission to Certificate Private Key by Using PowerShell
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM