Article ID: 926939
Article Last Modified on 7/3/2007
APPLIES TO
- Microsoft Internet Information Services 7.0
Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
SYMPTOMS
Consider the following scenario. On a Web server that is running Microsoft Internet Information Services (IIS) 7.0, you host an active server page (ASP) that connects to a database. The ASP page data provider is the Microsoft.Jet.OLEDB.4.0 data provider. The ASP page data source is a Microsoft Access database (.mdb) file. In this scenario, you may receive the following error message when you request the ASP page:
CAUSE
This problem may occur if IIS 7.0 is configured to load the current user profile for an application pool identity. This may cause compatibility issues with legacy ASP-based applications and ADO-based applications because the current user may not have sufficient permissions to write to the temporary directory.
RESOLUTION
To resolve this problem, you must add the correct access control entries to the temporary directory for the process identity. To do this, follow these steps.
Note By default, the process identity is NetworkService, and the temporary directory is %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp.
- Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
- When you are prompted for an administrator password or for a confirmation, type the password or click Continue.
- Type the following command, and then press ENTER:
Note This command enables every user to create files and directories in the temporary directory.
icacls %windir%\serviceprofiles\networkservice\AppData\Local\Temp /grant Users:(CI)(S,WD,AD,X)
- Type the following command, and then press ENTER:
Note The user who creates a file or a directory in the temporary directory is the CREATOR OWNER. The CREATOR OWNER access control entry grants a user complete control over the file or the directory. Other users cannot access these files and directories because they are not the CREATOR OWNER.
icacls %windir%\serviceprofiles\networkservice\AppData\Local\Temp /grant "CREATOR OWNER":(OI)(CI)(IO)(F)
WORKAROUND
To resolve this problem, use the method that is described in the "Resolution" section. However, if you do not want to add access control entries to the temporary directory for the process identity, you can work around the problem by disabling the loadUserProfile property for the application pool. When this property is disabled, IIS 7.0 does not load the current user profile for the application pool.
Important If you disable this property, a security risk may be created. Make sure that you understand and evaluate the risks before you implement this workaround.
To disable the loadUserProfile property for the application pool, modify the ApplicationHost.config file. The following example demonstrates how to do this.
<applicationPoolDefaults>
<processModel identityType="NetworkService" loadUserProfile="false" />
</applicationPoolDefaults>
REFERENCES
For more information about user permissions when you run a database query in an ASP page, click the following article number to view the article in the Microsoft Knowledge Base:
210457 ASP 0115 or Inetinfo application error occurs on ASP file running database query
For more information about temporary directory permissions when you run a database query in an ASP page, click the following article number to view the article in the Microsoft Knowledge Base:
315456 You receive a database results error message when you connect to database from an ASP page in FrontPage
Keywords: kbtshoot kbprb KB926939
