How IIS interferes in Group policy “Log on as a service”

 

Since windows server 2008, there exists a Group policy called Log on as a service, it’s located in Group policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

As introduced in the Microsoft official document https://technet.microsoft.com/en-us/library/dn221981(v=ws.11).aspx , it’s used to determine which service accounts can register a process as a service.

By checking into this group policy, we will see the the application pool identity inside as below:

clip_image002

Apparently, it’s necessary to add the corresponding identities into this group policy for launching the specific application pool.

Additionally, they are automatically inserted by IIS, no need to manually operate it.

When IIS will add the identities into Log on as a service?

1. All the existing application pool identities will be added when IIS was initialized

2. When an application pool’s w3wp process is launched, IIS will check if its identity already exists in Log on as a service. If not, it will be added.

Attentions:

1. For an application pool which is running under OnDemand mode, if its identity is not included in Log on as a service, IIS will not add it until the corresponding w3wp process is launched upon the first request. The identity check and insert operation happens when the w3wp process is launched instead of the application pool is started in IIS Manager.

2. When adding the identities, IIS will not recursively check the identities in Log on as a service. That is to say, a new identity will still be added even if one of its groups might have been existing inside. In a word, the application pool identities cannot be added in the form of group.

Special thanks to Xiaodong Zhu.

Jinjie ZHOU from DSI team.