C# code to automatically give IIS write access to a folder on Windows Server 2008? Currently throws exception

Asked 7/12, 2010 at 8:42 Answered 4/2, 2014 at 16:8

c#windows-server-2008 iis-7.5 ntfs

I am trying to write a command line tool that will give IIS7.5 on windows server 2008 write access to a folder in the wwwroot, so that a web application has access to write to a specific folder within it's base directory. Formerly, you would do this by assigning the IIS_WPG group on the folder giving that group Modify access.

In Server 2008 I'm trying to do the same thing with IIS_IUSRS, but an exception is ocurring.

Here is the code:

private static void ManagePermissions(string directory, string account, FileSystemRights rights, AccessControlType controlType, bool addAccess)
{
    DirectoryInfo directoryInfo = new DirectoryInfo(directory);
    DirectorySecurity directorySecurity = directoryInfo.GetAccessControl();

    if (addAccess)
        directorySecurity.AddAccessRule(
            new FileSystemAccessRule(account, rights, controlType));
    else
        directorySecurity.RemoveAccessRule(
            new FileSystemAccessRule(account, rights, controlType));

    directoryInfo.SetAccessControl(directorySecurity);
}

The call to this method is as follows:

ManagePermissions(
                  "c:\inetpub\wwwroot", 
                  "MACHINENAME\IIS_IUSRS", 
                  FileSystemRights.Modify, 
                  AccessControlType.Allow, 
                  true);

When execute that call to ManagePermissions an exception is thrown with the following type and message:

System.Security.Principal.IdentityNotMappedException: 
    Some or all identity references could not be translated.

I've checked multiple times to ensure that MACHINENAME\IIS_IUSRS is an exact match with the user in the local user manager on the machine this code is executing on. This machine does not participate in a windows domain.

Let me know if you need any further clarification.

Collect answered 7/12, 2010 at 8:42 Comment(2)

And this rights assigning application is run under an user account which already has access to provide such rights? – Biosphere 7/12, 2010 at 9:29

Yes. This application does a number of things like adminster IIS, create new folders and copy files in these same directory paths. – Collect 7/12, 2010 at 11:5

IIS_IUSRS is a built in group, so it should not be referenced with [machinename]\IIS_IUSRS but with BUILTIN\IIS_IUSRS. Like so:

ManagePermissions( 
                  "c:\inetpub\wwwroot",  
                  "BUILTIN\IIS_IUSRS",  
                  FileSystemRights.Modify,  
                  AccessControlType.Allow,  
                  true);

Switching to that way of referencing the user fixed my code. I get the account in a slightly different way than referenced in your example:

IdentityReference user = new NTAccount(UserDomain + @"\" + UserName);

And then use it via a different constructor so that may affect the translation as well but I doubt it:

var rule = new FileSystemAccessRule(user, ..., ..., ..., ...);

Preliminaries answered 15/8, 2012 at 14:56 Comment(1)

I'll try this out in the next few days, and see how its goes. I'd abandoned that feature from my project, since it added marginal value and was taking so long to figure out. – Collect 15/8, 2012 at 20:22

Update: recently I've seen error with adding full control to user IIS_IUSRS on non-english windows (Windows server 2008 R2 x64 IIS7).

Despite that IIS_IUSRS is not translated, 'BUILTIN' in front of it can cause an error

So, be aware of using "BUILTIN\IIS_IUSRS", use just 'IIS_IUSRS' instead - its working on both english and non-english windows

Gelsenkirchen answered 4/2, 2014 at 16:8 Comment(0)

Recommended topics

Hot tags