Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.
IIS APPPOOL\{app pool name}
Note: Per comments below, there are two things to be aware of:
- Enter the string directly into the "Select User or Group" and not in the search field.
- In a domain environment you need to set the Location to your local computer first.
Reference to Microsoft Docs article: Application Pool Identities > Securing Resources
Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:
icacls c:\inetpub\wwwroot /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)
Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.
However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.
This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.
Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.
Group Policies and groups are two completely different things.
And yes, I know the names are misleading.
A Group Policy Object is a set of policies linked to one or more Organizational Units in Active Directory; they will affect all computer and/or users in that container and below (there are exceptions, but this is the core concept).
A group is, just like the name implies, a collection of users, computers or other groups; it can be located anywhere in AD, and its members also can be located anywhere. It's mainly used for security, because assigning permissions to a group is a lot easier than doing the same for each individual user (but it can also act as a mail distribution list where Exchange is in use).
To manage Groups Policies, you use the Group Policy Management Console
.
To manage groups (or users, or computers, or Active Directory in general) you use Active Directory Users and Computers
.
If you need to check who is member of a given group, ADUC is the right tool to use; GPMC will not tell you anything about that, because it's not its job.
ADUC is always present on Domain Controllers, and can be installed on Windows Server systems as a feature (part of AD DS Tools).
If you want to use it on a client system, you'll need to install Remote Server Administration Tools.
Addendum: the net group
command applies to groups, which as I said above are different from GPOs. It doesn't make any sense to run net group my_gpo
.
Best Answer
In the Security Filtering section of the GPO (on the Scope tab) remove Authenticated Users and add the user or group in question. This will make the GPO apply to only that user or group.
Take note that the GPO has to be in the Scope of Management (SOM) of the user, meaning it has to be linked to the OU or container (domain or site) where the user object exists.