By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,919 Members | 1,074 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,919 IT Pros & Developers. It's quick & easy.

Domain controller GPO does not deny logon locally right to IWAM_machinename when running aspnet.wp.exe

P: n/a
On a domain controller, the ASPNET (v1.1) worker process (aspnet.wp.exe)
runs under the IWAM_machinename acount (IIS 5). I have expressly denied this
user the logon locally right in the domain controller GPO and yet this
profile gets created under the Document and Settings folder. The
IWAM_machinename registry hive remains loaded when the process ends. I have
to manually unload it with regedt32.exe. Is this normal behavior?
Nov 18 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Denying log on locally doesn't prevent a service logon, which is what's
happening in this case. If you don't want the user to logon in any scenario,
you'll need to deny service, batch, and network logon rights too.

--
--
Brian Desmond
Windows Server MVP
de******@payton.cps.k12.il.us

Http://www.briandesmond.com
""Rob"" <@> wrote in message news:uV**************@TK2MSFTNGP12.phx.gbl...
On a domain controller, the ASPNET (v1.1) worker process (aspnet.wp.exe)
runs under the IWAM_machinename acount (IIS 5). I have expressly denied this user the logon locally right in the domain controller GPO and yet this
profile gets created under the Document and Settings folder. The
IWAM_machinename registry hive remains loaded when the process ends. I have to manually unload it with regedt32.exe. Is this normal behavior?

Nov 18 '05 #2

P: n/a
Ok, so why does IWAM_machinename registry hive remain loaded when the
aspnet_wp.exe process ends? I have to manually unload it with regedt32.exe.
Is this normal behavior?

Thanks for the tip Brian
--

"Brian Desmond [MVP]" <de******@payton.cps.k12.il.us> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
Denying log on locally doesn't prevent a service logon, which is what's
happening in this case. If you don't want the user to logon in any scenario, you'll need to deny service, batch, and network logon rights too.

--
--
Brian Desmond
Windows Server MVP
de******@payton.cps.k12.il.us

Http://www.briandesmond.com
""Rob"" <@> wrote in message news:uV**************@TK2MSFTNGP12.phx.gbl...
On a domain controller, the ASPNET (v1.1) worker process (aspnet.wp.exe)
runs under the IWAM_machinename acount (IIS 5). I have expressly denied

this
user the logon locally right in the domain controller GPO and yet this
profile gets created under the Document and Settings folder. The
IWAM_machinename registry hive remains loaded when the process ends. I

have
to manually unload it with regedt32.exe. Is this normal behavior?


Nov 18 '05 #3

P: n/a
IWAM_MachineName is an IIS account, not an ASPNet account. IWAM should
unload when the IISAdmin service shutsdown.

--
--
Brian Desmond
Windows Server MVP
de******@payton.cps.k12.il.us

Http://www.briandesmond.com
""Rob"" <@> wrote in message news:eW**************@TK2MSFTNGP10.phx.gbl...
Ok, so why does IWAM_machinename registry hive remain loaded when the
aspnet_wp.exe process ends? I have to manually unload it with regedt32.exe. Is this normal behavior?

Thanks for the tip Brian
--

"Brian Desmond [MVP]" <de******@payton.cps.k12.il.us> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
Denying log on locally doesn't prevent a service logon, which is what's
happening in this case. If you don't want the user to logon in any

scenario,
you'll need to deny service, batch, and network logon rights too.

--
--
Brian Desmond
Windows Server MVP
de******@payton.cps.k12.il.us

Http://www.briandesmond.com
""Rob"" <@> wrote in message news:uV**************@TK2MSFTNGP12.phx.gbl...
On a domain controller, the ASPNET (v1.1) worker process (aspnet.wp.exe) runs under the IWAM_machinename acount (IIS 5). I have expressly
denied this
user the logon locally right in the domain controller GPO and yet this
profile gets created under the Document and Settings folder. The
IWAM_machinename registry hive remains loaded when the process ends. I

have
to manually unload it with regedt32.exe. Is this normal behavior?



Nov 18 '05 #4

P: n/a
It doesn't

--

"Brian Desmond [MVP]" <de******@payton.cps.k12.il.us> wrote in message
news:O6**************@TK2MSFTNGP12.phx.gbl...
IWAM_MachineName is an IIS account, not an ASPNet account. IWAM should
unload when the IISAdmin service shutsdown.

--
--
Brian Desmond
Windows Server MVP
de******@payton.cps.k12.il.us

Http://www.briandesmond.com
""Rob"" <@> wrote in message news:eW**************@TK2MSFTNGP10.phx.gbl...
Ok, so why does IWAM_machinename registry hive remain loaded when the
aspnet_wp.exe process ends? I have to manually unload it with

regedt32.exe.
Is this normal behavior?

Thanks for the tip Brian
--

"Brian Desmond [MVP]" <de******@payton.cps.k12.il.us> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
Denying log on locally doesn't prevent a service logon, which is what's happening in this case. If you don't want the user to logon in any

scenario,
you'll need to deny service, batch, and network logon rights too.

--
--
Brian Desmond
Windows Server MVP
de******@payton.cps.k12.il.us

Http://www.briandesmond.com
""Rob"" <@> wrote in message news:uV**************@TK2MSFTNGP12.phx.gbl... > On a domain controller, the ASPNET (v1.1) worker process (aspnet.wp.exe) > runs under the IWAM_machinename acount (IIS 5). I have expressly denied this
> user the logon locally right in the domain controller GPO and yet this > profile gets created under the Document and Settings folder. The
> IWAM_machinename registry hive remains loaded when the process ends. I have
> to manually unload it with regedt32.exe. Is this normal behavior?
>
>



Nov 18 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.