I will use the Windows domain account (supported in Active Directory) as the application pool identifier on my web server. Therefore, I want the account to be a member of the IIS_WPG or IIS_IUSRS group . My question is where to do this? in Active Directory or on the web server itself? Should I modify Active Directory so that the user is part of IIS_WPG / IIS_IUSRS, should be more than enough? or should I edit the local users / group (on the web server) to make sure that I add the domain user to the IIS_WPG or IIS_IUSRS group?
I'm not sure about adding fixes through Active Directory.
We used this method for IIS 6:
Add a user to the IIS_WPG group: Go to the "Computer Management" section on the field where the site is located, "Local Users and Groups"> "Groups", right-click "IIS_WPG"> "Add to Group", then add the Windows account , Apply, OK.
Then allow the account to run as a service: Administration Tools> Local Security Policy> Local Policies> Assigning User Rights> Log on as a property of properties, add the user, Apply, OK
Set application pool identifier: IIS> Application pool properties> "Identification" tab, setting as a user to be configured and entered, "Apply", "OK".
Then reload the field.
Good Resource: Steps for Configuring a Custom IIS 6 Application Pool Identifier
In the identifier tag and use the Windows domain name and the Windows username in the web.config file
On the IIS server, set the pool identifier as ApplicationPool.
Disable anonymous authentication for the web application. Enable Windows Impersonation and Authentication. for web application in IIS box
In Windows Server 2012 (in my case) you need
Right-click on your application pool, in the "Process Model" section, enter the identifier (first) and select the second switch, which is the user account, and enter your account and password for wishes.