尝试将IIS_IUSRS添加到Administrators组

时间:2011-12-09 14:53:15

标签: c# asp.net active-directory iis-7.5

当我通过计算机 - >管理 - >本地用户和组启动AD组时,我可以在列表中看到IIS_IUSRS,因此我单击Administrators组的属性,然后单击添加...选择我的本地计算机的位置,确保对象类型具有“内置安全主体”,并在对象名称文本框中输入IIS_IUSRS,它告诉我无法找到IIS_IUSRS对象。

我在这里做错了什么(除了给予IIS_IUSRS管理员权限)?

1 个答案:

答案 0 :(得分:0)

我不确定使用“内置”帐户IIS_IUSRS就像您可以添加到管理员的常规组帐户。有关该帐户的更多信息,请参阅: http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/

我的猜测是,在以自治模式运行网站以编写文件时,您遇到了权限问题。以下是从最佳到最差(IMO)的一些可能的建议:


1:使用模拟在代码中为该功能执行“提升”级别的任务。这是一个代码示例:(使用下面的模拟类/代码:Impersonation.vb)示例:

Using Impersonate As New Impersonation.Impersonate
Using Usr As System.Security.Principal.WindowsImpersonationContext 
    = Impersonate.ImpersonateUser("<domain username>", "<domain password>", "<domain>")
    'do elevated security level task...

    'System.IO.File.Copy(...)

    Impersonate.UndoImpersonate(Usr)
End Using

结束使用


2:创建虚拟目录以在特定目录上执行“提升”任务。例如,在IIS中,您可以将其设置为不是自治的,并且具有提升的写入文件的权限。


3:在web.config中进行模拟

<identity impersonate="true" userName="accountname" password="password" />


--- Impersonation.vb ----

Imports System

导入System.Runtime.InteropServices Imports System.Security.Principal

命名空间模拟

Public Class Impersonate
    Implements IDisposable

    Private Declare Auto Function LogonUser Lib "advapi32.dll" ( _
    ByVal lpszUsername As String, _
    ByVal lpszDomain As String, _
    ByVal lpszPassword As String, _
    ByVal dwLogonType As Integer, _
    ByVal dwLogonProvider As Integer, _
    ByRef phToken As IntPtr) As Boolean

    Declare Function GetLastError Lib "kernel32" () As Integer

    Public Function ImpersonateUser(ByVal Username As String, ByVal Password As String, ByVal Domain As String) As WindowsImpersonationContext

        Dim tokenHandle As New IntPtr(0)
        Dim dupeTokenHandle As New IntPtr(0)


        Dim mWIC As WindowsImpersonationContext = Nothing

        tokenHandle = IntPtr.Zero
        Dim loggedOn As Boolean = LogonUser(Username, Domain, Password, 8, 0, tokenHandle)

        If loggedOn Then
            Dim mWI As New WindowsIdentity(tokenHandle)
            mWIC = mWI.Impersonate()    'start the impersonation
        End If

        Return mWIC

    End Function

    Public Function UndoImpersonate(ByVal mWIC As WindowsImpersonationContext) As Boolean
        If mWIC IsNot Nothing Then
            mWIC.Undo()
            Return True
        End If
        Return False
    End Function

    Private disposedValue As Boolean = False        ' To detect redundant calls

    ' IDisposable
    Protected Overridable Sub Dispose(ByVal disposing As Boolean)
        If Not Me.disposedValue Then
            If disposing Then
                ' TODO: free managed resources when explicitly called
            End If

            ' TODO: free shared unmanaged resources
        End If
        Me.disposedValue = True
    End Sub

    ' This code added by Visual Basic to correctly implement the disposable pattern.
    Public Sub Dispose() Implements IDisposable.Dispose
        ' Do not change this code.  Put cleanup code in Dispose(ByVal disposing As Boolean) above.
        Dispose(True)
        GC.SuppressFinalize(Me)
    End Sub

End Class

结束命名空间