问题
When I bring up the AD Groups via Computer->Manage->Local Users and Groups, I can see IIS_IUSRS in the list, so I click on the Properties of the Administrators group, then click Add...select the Location to by my local computer, make sure the Object Types has "Built-in security principals" is checked, and I enter IIS_IUSRS in the object name text box, and it tells me that the IIS_IUSRS object cannot be found.
What am I doing wrong here (besides giving IIS_IUSRS Admin privileges)?
回答1:
I am not sure using the "built-in" account IIS_IUSRS is like a regular group account that you can add to administrators. For more information on that account, see this: http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/
My guess is you are having permissions issues when running a site in anonomous mode for writing files. Here are some possible suggestions from the best to worst (IMO):
1: Use impersonation to do 'elevated' level tasks in code just for that function. Here is a code sample: (use impersonation class/code below: Impersonation.vb) Example:
Using Impersonate As New Impersonation.Impersonate
Using Usr As System.Security.Principal.WindowsImpersonationContext
= Impersonate.ImpersonateUser("<domain username>", "<domain password>", "<domain>")
'do elevated security level task...
'System.IO.File.Copy(...)
Impersonate.UndoImpersonate(Usr)
End Using
End Using
2: Create a virtual directory to do 'elevated' tasks on a specific directory. In IIS you can set this to no be anonomous and have elevated permission to write files, for example.
3: Do impersonation in web.config
<identity impersonate="true" userName="accountname" password="password" />
---Impersonation.vb----
Imports System
Imports System.Runtime.InteropServices Imports System.Security.Principal
Namespace Impersonation
Public Class Impersonate
Implements IDisposable
Private Declare Auto Function LogonUser Lib "advapi32.dll" ( _
ByVal lpszUsername As String, _
ByVal lpszDomain As String, _
ByVal lpszPassword As String, _
ByVal dwLogonType As Integer, _
ByVal dwLogonProvider As Integer, _
ByRef phToken As IntPtr) As Boolean
Declare Function GetLastError Lib "kernel32" () As Integer
Public Function ImpersonateUser(ByVal Username As String, ByVal Password As String, ByVal Domain As String) As WindowsImpersonationContext
Dim tokenHandle As New IntPtr(0)
Dim dupeTokenHandle As New IntPtr(0)
Dim mWIC As WindowsImpersonationContext = Nothing
tokenHandle = IntPtr.Zero
Dim loggedOn As Boolean = LogonUser(Username, Domain, Password, 8, 0, tokenHandle)
If loggedOn Then
Dim mWI As New WindowsIdentity(tokenHandle)
mWIC = mWI.Impersonate() 'start the impersonation
End If
Return mWIC
End Function
Public Function UndoImpersonate(ByVal mWIC As WindowsImpersonationContext) As Boolean
If mWIC IsNot Nothing Then
mWIC.Undo()
Return True
End If
Return False
End Function
Private disposedValue As Boolean = False ' To detect redundant calls
' IDisposable
Protected Overridable Sub Dispose(ByVal disposing As Boolean)
If Not Me.disposedValue Then
If disposing Then
' TODO: free managed resources when explicitly called
End If
' TODO: free shared unmanaged resources
End If
Me.disposedValue = True
End Sub
' This code added by Visual Basic to correctly implement the disposable pattern.
Public Sub Dispose() Implements IDisposable.Dispose
' Do not change this code. Put cleanup code in Dispose(ByVal disposing As Boolean) above.
Dispose(True)
GC.SuppressFinalize(Me)
End Sub
End Class
End Namespace
来源:https://stackoverflow.com/questions/8447265/trying-to-add-iis-iusrs-to-administrators-group