none
IIS, Application Pools, Identities, Active Directory and "Log On To" option RRS feed

  • Question

  • In IIS, you can create an Application Pool for your website to use. And that Application Pool can be set to run as a specific AD account.  This allows the website and/or webservice to access other servers, folders, shares, resources, etc because it now is running as that AD account.  Here's my question.  Can I restrict the use of that AD account so that it is only used on the server with the application pool on it?  I'm thinking of using Active Directory's account tab and the "Log On To" option.  By default, that option allows an account to log into all computers on the domain.  But it says you can change it and just list the computer (or computers) that you want it restricted to.  Anyone tried that?
    Wednesday, July 17, 2019 1:30 PM

All replies

  • I notice in Active Directory if you look at an account's properties, you can see on the Account tab an option/button called "Log On To".  If i click it, i see by default that an account can log on to "All Computers".  But it looks like i can toggle this setting and list the computers that i want to restrict this account to.  My question is "what is intended purpose of this option/setting"?  Is it for administrators to restrict user accounts to a specific client machine (e.g. Tom can only log into Tom's workstation and maybe a couple shared computers)?  or can it also be used to restrict accounts that are used to run services as well?  For example, we have a server that has Backup Exec on it and it runs our backups of all other servers.  The Backup Exec services run as an AD account we created (backupexec).  Could i set the "Log On To" setting for this backupexec account changing it from all computers, and just limited it to the backup server that has backup exec on it?  Another example, i have SharePoint running on a single server, and all the SharePoint services are running as an AD account named 'sharepoint'.  Could i set the "log on to" setting for that account, changing it from 'all computers' and instead limiting it to the one SharePoint server?  Finally, i have some AD accounts that are used as the identity of an Application Pool in IIS.  These support websites that we have running on an IIS web server.  Could i restrict these AD accounts in the same manner?  Only let them "log on to" the web server that the web app/app pool is on?

    The reason i ask is that i have a suspicion that limiting these various service accounts to the servers they run on is going to break things because of the way service accounts work and how Active Directory works.  I'm wondering if that setting wasnt intended to be used in this way.

    Wednesday, July 17, 2019 1:24 PM
  • The purpose, as you guessed, is to restrict users to authenticate only on the specified computers. But services generally run with local administrator privileges, for example as LocalService, or with the permissions of the local computer, and are not restricted. See this thread:

    https://social.msdn.microsoft.com/forums/sqlserver/en-US/31d57870-1faa-4e14-8527-ce77b1ff40e4/local-service-local-system-or-network-service


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    Wednesday, July 17, 2019 2:53 PM
  • Hello,
    Thank you for posting in our TechNet forum.

    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 19, 2019 10:10 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 22, 2019 11:04 AM
    Moderator