What account is your AppPool running as?

IIS 7.5 on Windows 7 and Windows Server 2008 R2 is changing the default Application Pool identity from NetworkService to virtual accounts with the name of the Application Pool itself. The Application Pool ‘DefaultAppPool’ will run as the virtual account with the name ‘DefaultAppPool’. Given this change I thought it might be useful to have a little script that lists all Application Pools and the accounts they are running as. Just copy the following script and save it as myAppPools.js.

 

var ahadmin = new ActiveXObject("Microsoft.ApplicationHost.AdminManager");

var APPPOOLSSECTION = "system.applicationHost/applicationPools";
var APPHOSTROOT     = "MACHINE/WEBROOT/APPHOST";

Main();

function Main()
{
    try
    {
       var appPoolsSection = ahadmin.GetAdminSection(APPPOOLSSECTION, APPHOSTROOT);
       WScript.Echo ("Available Application Pools and Identities");
       WScript.Echo ("==========================================");

       for (var i=0;i<appPoolsSection.Collection.Count;i++)
       {
          var appPool = appPoolsSection.Collection.Item(i);         
          var appPoolName = appPool.Properties.Item("name").Value;
          var processModel = appPool.GetElementByName("processModel");
          if (processModel.Properties.Item("identityType").Value == 0) //LocalSystem
          {            
             WScript.Echo ("APPPOOL:     \t" + appPoolName);
             WScript.Echo ("IDENTITYTYPE:\tLocalsystem");
             WScript.Echo ("USER:        \tLocalSystem");
          }
    
          if (processModel.Properties.Item("identityType").Value == 1) //LocalService
          {            
             WScript.Echo ("APPPOOL:     \t" + appPoolName);
             WScript.Echo ("IDENTITYTYPE:\tLocalService");
             WScript.Echo ("USER:        \tLocalService");
          }

          if (processModel.Properties.Item("identityType").Value == 2) //NetworkService
          {            
             WScript.Echo ("APPPOOL:     \t" + appPoolName);
             WScript.Echo ("IDENTITYTYPE:\tNetworkService");
             WScript.Echo ("USER:        \tNetworkService");
          }
          if (processModel.Properties.Item("identityType").Value == 3) //Specific User
          {            
             WScript.Echo ("APPPOOL:     \t" + appPoolName);
             WScript.Echo ("IDENTITYTYPE:\tSpecific User");
             WScript.Echo ("USER:        \t" + processModel.Properties.Item("userName").Value);
          }
          if (processModel.Properties.Item("identityType").Value == 4) //AppPool identity
          {            
             WScript.Echo ("APPPOOL:     \t" + appPoolName);
             WScript.Echo ("IDENTITYTYPE:\tAppPoolIdentity");
             WScript.Echo ("USER:        \t" + appPoolName);
          }
          WScript.Echo("\n");
       }
    }
    catch (e)
    {
       WScript.Echo("Script failed" + e.number);
       WScript.Echo(e.description);
    }
}

1 Comment

  • Roughly the same result could be obtained using the following Powershell one-liner:

    PS IIS:\Sites\test #> get-webconfiguration /system.applicationHost/applicationPools/add | select {$_.name},{$_.processModel.identity
    Type},{$_.processModel.userName}

    --Sergei

Comments have been disabled for this content.