In my previous post, I discussed how I was having difficulty getting a WiX-built MSI installer to correctly assign permissions for the Internet guest account to a folder on both Windows Server 2003 and Windows Server 2008. The thing about WiX/MSI is that if you keep hammering at it long enough, you can usually find a solution (even if it is ugly and convoluted). That proved true again today (for better or for worse).
My solution uses two properties (one to store the account name, the other the domain), and two sets of custom actions to correctly populate the properties based on the OS version. Here is the relevant bits of code:
1: <Property Id="WEBUSER" Value="Byah" />
2: <Property Id="WEBDOMAIN" Value="Byah" />
3: <CustomAction Id="SetWebuserIIS7" Return="check" Property="WEBUSER" Value="IIS_IUSRS" />
4: <CustomAction Id="SetWebuserIIS6" Return="check" Property="WEBUSER" Value="IUSR_[ComputerName]" />
5: <CustomAction Id="SetDomainIIS7" Return="check" Property="WEBDOMAIN" Value="" />
6: <CustomAction Id="SetDomainIIS6" Return="check" Property="WEBDOMAIN" Value="[ComputerName]" />
7: <!-- SNIP -->
8: <CreateFolder>
9: <util:PermissionEx User="NetworkService" GenericAll="yes" />
10: <util:PermissionEx User="Administrators" GenericAll="yes"/>
11: <util:PermissionEx User="Users" GenericRead="yes" GenericExecute="yes" />
12: <util:PermissionEx User="[WEBUSER]" Domain="[WEBDOMAIN]" GenericRead="yes" GenericExecute="yes"/>
13: </CreateFolder>
I hope that helps someone!
Well, I tried above stuff but not worked, shall you please give some more brief on this?
Thanks in Advance.
Raj.
@Raj, what error are you getting?
I think you are not fully right. According to this link http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-7/
"In summary, IIS 7.0 offers:
The IUSR built-in account replaces the IUSR_MachineName account
The IIS_IUSRS built-in group replaces the IIS_WPG group"
But you assign IUSR_[ComputerName] or IIS_IUSRS to WEBUSER property. I think one should use both IUSR_[ComputerName] account and IIS_WPG group for IIS6 and IUSR account and IIS_IUSRS group for IIS7
@kvseek,
Hmm, on my Vista box with IIS7, I do not have an "IUSR" account, only the IIS_IUSRS group (which, strangely, has no members). *shrugs*
Matt
It is built-in account NT AUTHORITY\IUSR. If you try to add user to any group and print IUSR and press "Check Names" you see this user.
I found out that folder with web site must have permission for group IIS_IUSRS and IUSR user. By default IUSR user is added in USERS group implicitly (it is so because "NT AUTHORITY\Authenticated Users" group is there) that’s why evrthing works fine for you. But it is not always so. So adding permissions for Users group is not proper way. Besides tou add permissions for "NetworkService" but it is already in IIS_WPG (IIS_IUSRS) group.
I had some difficulties with adding IUSR user’s permission to folder on my Windows 2008 Server. I could do it only with "NT AUTHORITY" domain using:
<util:PermissionEx Domain="NT AUTHORITY" GenericWrite=’no’ GenericExecute=’yes’ GenericRead=’yes’ User=’IUSR’ />