Risk to Impersonate with IIS_IUSRS. RRS feed

  • Question

  • We were running into an issue with a new Sharepoint project in where the sites would not display and an "Unexpected Error has occurred" error would come up instead. This seemed to be solved when the account we were using to run the IIS Application pool was put into the local admin group on the server, but this of course isn't best practice. After some digging, we found that the Member Server GPO removes an IIS group (IIS_IUSRS) from the Impersonate a Client After Authorization setting. When we moved one of the servers to the NoGPO container and manually added that group to the Local policy and verified the service account was not part of the Local Admins group, everything started working. 

    Are there any risks in having (IIS_IUSRS) set to Impersonate a Client After Authorization setting?

    Wednesday, November 30, 2011 2:57 PM