Adding Windows Computer Accounts from Active Directory to NTFS ACLs to Control Permissions

When writing web applications, you often must grant permissions to an application to do something on other machines in a Windows domain or forest. IIS 6, 7 and 7.5 all allow you to configure IIS application pools to run under specific, rather secure identities like NETWORK SERVICE and the Application Pool Identity.

When accessing resources over the network using these identities, remember one simple rule: You must ensure to search computer accounts in Active Directory when granting access to a resource. We commonly add a computer account to an NTFS ACL to allow a web application to create directories on a remote machine. Computer accounts take the form of <DomainName><ComputerName>$ when accessing resources over the network and make sure you include the dollar sign ($) on the end of the computer name.

Tip

When locating the security principal (account) to add to the ACL, make sure you search computers in addition to the standard users, groups and built-in security principals. If you don’t do this you will pull your hair out trying to figure out why Active Directory can’t resolve your computer account name and let you assign permissions.

The following screen shots illustrate the bad and the good on Windows Server 2008 R2 for adding a security principal to a NTFS ACL.

The BAD

This will drive you nuts because AD can’t resolve the computer account name. Why? Because you’re not searching computers…only users, groups and built-in security principals.

Computer Name Resolution Failed
Cannot resolve the computer name because AD is not searching computer objects

The GOOD

Mucho better when we add computers to the object types to search!

Computer Name Lookup
Change the Object Types to include computers

Now you’re in business!

Computer Name Resolution Success
Computer account resolves now!