|
Home > Archive > IIS Server > January 2005 > IUSR and IWAM domain accounts
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IUSR and IWAM domain accounts
|
|
| E.P. Kempen 2005-01-30, 7:50 am |
| Hello,
I have a server 2003 domain controller and 2 server 2003 web edition
webservers.
I would like to use a domain iusr and a domain iwam account which are on the
domain controller.
I can't figure out how to create these domain accounts, the iwam account on
the webserver is member of the IIS_WPG group which I can't find on the
domain controller.
I have a lot of questions and every help is very very welcome:
Is it possible to do this?
Is it wise to do this?
How do I create a domain iusr and iwam account?
What rights and policies do these accounts need to have?
Which directories must have these groups named in security?
How do I make the 2 webserver use the domain accounts?
Many thanks in advance
Emiel Kempen.
| |
| Roger Abell [MVP] 2005-01-31, 2:55 am |
| "E.P. Kempen" <e.kempen@bitwise.nl> wrote in message
news:%233BReXsBFHA.1292@TK2MSFTNGP10.phx.gbl...
> Hello,
>
> I have a server 2003 domain controller and 2 server 2003 web edition
> webservers.
> I would like to use a domain iusr and a domain iwam account which are on
> the domain controller.
> I can't figure out how to create these domain accounts, the iwam account
> on the webserver is member of the IIS_WPG group which I can't find on the
> domain controller.
The group is only on a W2k3 machine which has IIS installed (which
is not a wise choice for a domain controller, given a choice).
The domain accounts need membership in each group on the IIS machines
where their corresponding iusr/iwam now have membership. Also, you will
need to make sure they have the same user rights grants in group policy.
>
> I have a lot of questions and every help is very very welcome:
>
> Is it possible to do this?
yes
> Is it wise to do this?
depends
If you have a defined need for these accounts to be recognized
"off box", elsewhere in your network, then yes it is needed.
Otherwise, no, I do not feel it is wise in absence of a requirement.
> How do I create a domain iusr and iwam account?
Like any other account, perhaps more restricted.
Two objectives: the accounts need all grants local on the IIS box(es)
that the IIS machine local accounts would have; and, the accounts
should be restricted so that all of their capabilities on the network are
understood (For example, is it really necessary that they be able to
access the server share where the employee handbook is stored ?
but is that not what happens if the accounts are in Domain Users?)
> What rights and policies do these accounts need to have?
above - all are found on the IIS box in the user rights and group
memberships
> Which directories must have these groups named in security?
what groups? we were speaking of accounts
> How do I make the 2 webserver use the domain accounts?
>
you just set these as the accounts used by IIS in place of the iusr/iwam
but you must not let IIS manage the passwords.
> Many thanks in advance
>
> Emiel Kempen.
>
|
|
|
|
|