Is there any way to get IIS7 on a non-domain computer (a Windows 7 development VM in this instance) to use a domain account for an AppPool identity? I can input the credentials (domain/username, etc.) but then the AppPool throws an error about the account not having "batch logon rights".
I cannot find anything via Google to help me figure this one out, so I am thinking it might not be possible.
Best Answer
This appears to me to be a near impossibility. "Joining a domain" creates a trust based relationship between the computer (object) and the domain (services).
For instance, the easiest way to adjust rights of a user is to utilize the Local Security Policy (security settings/local policies mmc snapin).
But you can use
ntrights.exe. I have a single domain here, but testing a similar situation is easy:I'm on COMPUTERA. I created an account dummyuser on COMPUTERB (aka the user is computerb\dummyuser)
When I run:
NTRIGHTS +r SeBatchLogonRight -u computerb\dummyuserI receive an error:
Granting SeBatchLogonRight to computerb\dummyuser ... failed (GetAccountSid(computerb\dummyuser)=1332C:\>net helpmsg 1332returns:No mapping between account names and security IDs was done.This is pretty simple. Even running as a user who is a domain admin (hence, this user is inherently part of the local Administrators group on computerb), the credential for which I am performing the operation will not pass.
A good way to test this is simple... on your VM run:
runas /user:domain\administrativeuser cmd.exeI would expect this to fail with
1326: Logon failure: unknown user name or bad password,since the local machine doesn't know whatdomainis, and/so it definitely isn't trustworthy.What this all really means is, regardless of if you get the entry in there or not, the local computer does not and will not know who the user is when it attempts any operation, unless it can authenticate that user against a database for which is is part (your domain's AD).
I'd like to see if anyone else has a solution though.