After installing Windows Server 2003, with or without IIS (Internet Information Service), there are quite a few user accounts & groups created by default. But what are they used for? Say I want to give a certain folder some extra rights, what user/group accounts do I need to add?
Let’s go over them, one by one, and briefly explain what each user account is used for, and what its purpose is by default. I’ll restrict the list to Windows Server 2003 and IIS 6.0 users. I just might make one for Windows Server 2008 some day too, but that’s beyond the scope of this article.
IIS_WPG
The IIS_WPG (Or IIS Worker Process Group) provides a minimum set of priviliges and permissions required to run a worker process on a webserver. By default, this group contains the following accounts: Network Service, Local Service, LocalSystem, and IWAM__COMPUTERNAME_ . If you want to change a IIS worker process to a new user account (one that you create yourself), make sure that accounts belongs to the IIS_WPG group. Doing so will give it the right permissions from the start to work properly.
**NETWORKSERVICE
** This account has fewer privileges than the LocalService account (in which nearly all programs were started in Windows Server 2000), and is used for starting most applications on Windows Server 2003. It provides a more secure layer, as it doesn’t allow full access to your server.
**LOCALSYSTEM
** This user account is used to run some services that require full privileges, such as the Automatic Update Service. DHCP client, … This account is also used by the Service Control Manager and can be compared to an Administrator account.
LOCALSERVICE