none
PowerShell Exchange ApppPool RRS feed

  • Question

  • Hi,

    The IIS BPA advises that the ideity of the app pool serving the powershell app pool should be changed to a lower privaleged app pool.

    Is this a good idea? will it break BRAC if I did??

    Thanks

    Martin

    Thursday, July 26, 2012 6:10 PM

Answers

  • looks like its messing up the link when pasting, just google an application pool is running under an incorrect identity.

    The Microsoft Exchange Best Practices Analyzer parses the roles that are running on an Exchange Server 2007-based computer together with the Internet Information Services (IIS) application pools that are used on the server.

    The Best Practices Analyzer uses the results of the examination to determine whether the application pools under which each Exchange-related Web application runs are configured to run under the local System account.

    If an application pool is not configured to run under the local System account, the Best Practices Analyzer generates the following error message:

    Application pool '<ApplicationPoolName>' on server '<ServerName>' is configured to run under the wrong identity. '<ApplicationPoolName>' should run under the 'Local System' identity.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Proposed as answer by Noya Lau Friday, August 3, 2012 9:41 AM
    • Marked as answer by Gavin-Zhang Monday, August 6, 2012 10:46 AM
    Thursday, July 26, 2012 8:31 PM
  • On Thu, 26 Jul 2012 20:31:52 +0000, Jamestechman wrote:
     
    >looks like its messing up the link when pasting, just google an application pool is running under an incorrect identity.
     
    Your link is missing the ".aspx" suffix. :-)
     
    http://technet.microsoft.com/en-us/library/dd535385(v=EXCHG.80).aspx
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Noya Lau Friday, August 3, 2012 9:41 AM
    • Marked as answer by Gavin-Zhang Monday, August 6, 2012 10:46 AM
    Thursday, July 26, 2012 10:07 PM

All replies

  • Naw for Exchange you leave it alone.

    http://technet.microsoft.com/en-us/library/dd535385(v=exchg.80)


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, July 26, 2012 6:36 PM
  • Hi James,

    The link you gave goes to a 404

    Regards,

    Martin

    Thursday, July 26, 2012 6:38 PM
  • looks like its messing up the link when pasting, just google an application pool is running under an incorrect identity.

    The Microsoft Exchange Best Practices Analyzer parses the roles that are running on an Exchange Server 2007-based computer together with the Internet Information Services (IIS) application pools that are used on the server.

    The Best Practices Analyzer uses the results of the examination to determine whether the application pools under which each Exchange-related Web application runs are configured to run under the local System account.

    If an application pool is not configured to run under the local System account, the Best Practices Analyzer generates the following error message:

    Application pool '<ApplicationPoolName>' on server '<ServerName>' is configured to run under the wrong identity. '<ApplicationPoolName>' should run under the 'Local System' identity.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Proposed as answer by Noya Lau Friday, August 3, 2012 9:41 AM
    • Marked as answer by Gavin-Zhang Monday, August 6, 2012 10:46 AM
    Thursday, July 26, 2012 8:31 PM
  • On Thu, 26 Jul 2012 20:31:52 +0000, Jamestechman wrote:
     
    >looks like its messing up the link when pasting, just google an application pool is running under an incorrect identity.
     
    Your link is missing the ".aspx" suffix. :-)
     
    http://technet.microsoft.com/en-us/library/dd535385(v=EXCHG.80).aspx
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Noya Lau Friday, August 3, 2012 9:41 AM
    • Marked as answer by Gavin-Zhang Monday, August 6, 2012 10:46 AM
    Thursday, July 26, 2012 10:07 PM
  • doh!

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, July 26, 2012 11:54 PM
  • The majority of code executed as part of a Web application is executed in the context of the IIS worker process and typically runs under the identity configured for the application pool. Therefore, using a least privilege application pool identity is the primary way to constrain the privileges and rights granted to the application code.

    When using authentication schemes that produce Windows tokens, such as Windows Authentication or Basic Authentication, be aware that when highly privileged users access your application, it will execute with higher privileges than intended. Therefore, it is recommended that you do not allow users that have administrative privileges on the server to access your application.


    Noya Lau

    TechNet Community Support

    Monday, July 30, 2012 8:54 AM