Tip#98: Did you know… The default Application Pool Identity in IIS 7.5 (Windows 7) changed from NetworkService to AppPoolIdentity?

In Windows 7, IIS application pool isolation was taken yet to a different level. The new change introduced in IIS7 (Windows Server 2008) was a new option to run your application pool as AppPoolIdentiy. However, the default for an application pool identity in IIS7 remained the same – NetworkService. In IIS7.5, AppPoolIdentiy becomes a default. Thus, scripts previously expecting permissions for their application pool identity to be set to “NT Service\NetworkService” will now have to set permissions (ACLs) for “IIS AppPool\<app pool name>” – the user account created for each new application pool. 

Thus, to set permissions for the DefaultAppPool, the scripts will need to set ACLs for “IIS AppPool\DefaultAppPool”.

The incentive behind this change was to enforce the improved concept of process isolation through separate user accounts generated for each application pool identity.

To see other options that you can choose for your application pool identity, go to IIS Manager, Application Pools and right-click on the pool you want to configure, select Advanced Settings and Identity in the dialog that opens. You can choose one of the built-in accounts for your application pool identity:

Here is a list of built-in accounts and their corresponding usernames to use when setting permissions:

LocalService:                Service
LocalSystem:                System 
NetworkService:           Network Service
ApplicationPoolIdentity: IIS AppPool\<app pool name>

You can also specify an existing custom account (local or domain):

To read more about how to configure Application Pool Identities refer to this iis.net article: Application Pool Identities
To read about changes in application pool identities with regard to NetworkService account, read this blog post: Goodbye Network Service!

Katerina Rohonyan
SDET | IIS Team