Domain controller GPO does not deny logon locally right to IWAM_machinename when running aspnet.wp.e

[\Rob\]

On a domain controller, the ASPNET (v1.1) worker process (aspnet.wp.exe)
runs under the IWAM_machinename acount (IIS 5). I have expressly denied this
user the logon locally right in the domain controller GPO and yet this
profile gets created under the Document and Settings folder. The
IWAM_machinename registry hive remains loaded when the process ends. I have
to manually unload it with regedt32.exe. Is this normal behavior?

 

[Brian Desmond [MVP]]

Denying log on locally doesn't prevent a service logon, which is what's
happening in this case. If you don't want the user to logon in any scenario,
you'll need to deny service, batch, and network logon rights too.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com

 

[\Rob\]

Ok, so why does IWAM_machinename registry hive remain loaded when the
aspnet_wp.exe process ends? I have to manually unload it with regedt32.exe.
Is this normal behavior?

Thanks for the tip Brian

 

[Brian Desmond [MVP]]

IWAM_MachineName is an IIS account, not an ASPNet account. IWAM should
unload when the IISAdmin service shutsdown.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com

 

[\Rob\]

It doesn't

--

IWAM_MachineName is an IIS account, not an ASPNet account. IWAM should
unload when the IISAdmin service shutsdown.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com