Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.
IIS APPPOOL\{app pool name}
Note: Per comments below, there are two things to be aware of:
- Enter the string directly into the "Select User or Group" and not in the search field.
- In a domain environment you need to set the Location to your local computer first.
Reference to Microsoft Docs article: Application Pool Identities > Securing Resources
Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:
icacls c:\inetpub\wwwroot /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)
Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.
However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.
This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.
Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.
No, not possible. As in: the remote site does not forward DHCP requests to he local site. This is becasue those are broadcast addresses which are NOT transmitted outside the Ethernet segment - i.e. they do not cross over the router.
Yes, it is possible. You need to set up a DHCP relay system on the other side (can be part of the router) to forward DHCP requests to the Windows server. Then you set up a normal segment in the DHCP server.
That said, the idea may be terrible. Problem is - whenever the link is down, and a computer gets online during this time, it ets no ip address and pretty muc hthe user needs to restart (unless you want to talk users through command line "ipconfig /renew"). DHCP has no concept (unlike IPv6 in general) for assigning addresses to computers post network activatio. Technically you would be better off to get a small servre and put it at the remote site. This can be a small ATOM based thing. This can serve as:
* Local DHCP Server
* Local Domain controller (same problem - link down, things get bad).
* Local DNS server.
* Possibly local file store, at leat for a special admin share so you have afast access to your tools.
If you dont trust the remote site, using 2008 R2 yo ucan make the controller a RODC (Read Only Domain Controller). It sitll will stabilize operations.
I would consider it bad practices to supply DHCP from your central site.
Best Answer
Here is the same question answered for other DHCP server platforms:
DHCP on-the-fly block assignment
As far as Windows Server 2008, it looks like you will need to do some programming to get the behavior you want. You might want to check out the Microsoft Windows DHCP Team Blog here:
http://blogs.technet.com/b/teamdhcp/
These blog entries seem to cover parts of what you want to do:
Option based IP Address assignment Callout Dll
DHCP Server Callout API usage