How to give Folder Permission for IIS User in C#?

Question

I need to give Folder Permission for IIS User.
Actually I wrote code like this..

public static void AddDirectorySecurity(string FileName, string Account, FileSystemRights Rights,AccessControlType ControlType)
{
    DirectoryInfo dInfo = new DirectoryInfo(FileName);
    DirectorySecurity dSecurity = dInfo.GetAccessControl();
    dSecurity.AddAccessRule(
        new System.Security.AccessControl.FileSystemAccessRule(objUser, Rights, ControlType));
    dInfo.SetAccessControl(dSecurity);
}

I calling this above method like this...

void givepermission()
{
    DirectoryInfo a = new DirectoryInfo(Server.MapPath("~/resources"));
    AddDirectorySecurity(Server.MapPath("~/"), "IUSR", FileSystemRights.FullControl,AccessControlType.Allow);
}

But Locally its working. When going server not working.

Instead of IUSR I tried following Account Names but that also not working ..

IIS_IUSRS
IIS_WPG
Network Service
Everyone
etc..

Instead IIS_IUSRS. I Tried like this also...

System.Environment.MachineName + "\\IIS_IUSRS"

IIS_IUSRS_System.Environment.MachineName

System.Environment.UserDomainName + "\\IIS_IUSRS"

etc..

but this also not working, but it's throwing "Some or all identity references could not be translated"

Note:I Don't want to set the Permission Manually

Please can some one help me with this..?

Answer 1

public static void FolderPermission(String accountName, String folderPath)
    {
        try
        {

            FileSystemRights Rights;

            //What rights are we setting? Here accountName is == "IIS_IUSRS"

            Rights = FileSystemRights.FullControl;
            bool modified;
            var none = new InheritanceFlags();
            none = InheritanceFlags.None;

            //set on dir itself
            var accessRule = new FileSystemAccessRule(accountName, Rights, none, PropagationFlags.NoPropagateInherit, AccessControlType.Allow);
            var dInfo = new DirectoryInfo(folderPath);
            var dSecurity = dInfo.GetAccessControl();
            dSecurity.ModifyAccessRule(AccessControlModification.Set, accessRule, out modified);

            //Always allow objects to inherit on a directory 
            var iFlags = new InheritanceFlags();
            iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;

            //Add Access rule for the inheritance
            var accessRule2 = new FileSystemAccessRule(accountName, Rights, iFlags, PropagationFlags.InheritOnly, AccessControlType.Allow);
            dSecurity.ModifyAccessRule(AccessControlModification.Add, accessRule2, out modified);

            dInfo.SetAccessControl(dSecurity);
        }
        catch (Exception ex)
        {
            MessageBox.Show("Error");
        }
    }

Answer 2

Based on the Application Pool Identities article:

IIS introduces a new security feature in Service Pack 2 (SP2) of Windows Server 2008 and Windows Vista. It's called Application Pool Identities. Application Pool Identities allow you to run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

Here's a good explanation of what happens:

In Windows 7, IIS application pool isolation was taken yet to a different level. The new change introduced in IIS7 (Windows Server 2008) was a new option to run your application pool as AppPoolIdentiy. However, the default for an application pool identity in IIS7 remained the same – NetworkService. In IIS7.5, AppPoolIdentiy becomes a default. Thus, scripts previously expecting permissions for their application pool identity to be set to “NT Service\NetworkService” will now have to set permissions (ACLs) for “IIS AppPool\” – the user account created for each new application pool.

Thus, to set permissions for the DefaultAppPool, the scripts will need to set ACLs for “IIS AppPool\DefaultAppPool”.