sagngh8 0 Newbie Poster

Hi All,

I should be able to create a default directory inside project's root directory when the application_start method(inside global.asax)is called for my asp.net web application.

As IIS users dont have full rights to webroot directory(for directory create) i get access denied error message while trying to create the directory.Also IIS users wont be given full access to the root as per client.I am planning to implement like below to meet the expectations of client.Please let me know if there is any better way out for than this approach?

Approach 1:

a.Create a new user account(windows) in the server.
b.Keep the user account name in config file.
c.Read that account from the config file and create directory with that user account using Directory Security object.

Code:

  DirectorySecurity dacl = new DirectorySecurity();
    string useraccountForDirectoryCreate = System.Net.Dns.GetHostName() + "\\" +    "testaccount";
    dacl.AddAccessRule(new FileSystemAccessRule(useraccountForDirectoryCreate,
                                                        FileSystemRights.FullControl,
                                                        InheritanceFlags.
                                                            ContainerInherit |
                                                        InheritanceFlags.ObjectInherit,
                                                        PropagationFlags.None,
                                                        AccessControlType.Allow));
    Directory.CreateDirectory(imageDirectory, dacl);

The above thing worked locally in IIS server(Haven't tested on client's IIS server)

My concern with this:I think it wont be a feasible to ask the client to create a user account to be
created in the server for just creating the single directory.Also in future he might require to give access to more user for directory create.It wont be feasible to
keep on creating the windows account.

Apporach 2:

a)Create a IIS user account having full access to web root for directory create.(is this a better way out,it is same as giving the IIS user full access to web root isn't it.?Please clarify.)Is it possible to create a user account for IIS?This step was done by client.
b)Keep the account info in web config file.
c)Read the account info from web config file and create the directory with permisson with the above piece of code.

Problem with this approach:Is i get the following error when run the above code .

"Some or all identity references could not be translated." when the following statement is invoked.

dacl.AddAccessRule(new FileSystemAccessRule(useraccountForDirectoryCreate,
                                                        FileSystemRights.FullControl,
                                                        InheritanceFlags.
                                                            ContainerInherit |
                                                        InheritanceFlags.ObjectInherit,
                                                        PropagationFlags.None,
                                                        AccessControlType.Allow));

It looks like i am not able to add the access rule for this newly created user.Why is it so?
I have googled enough for the above error message and tried to understand but i am not able to resolve the error.I am not able to understand the error message at all.Please help with the solution for this problem.Its high time to deliver.

Thanks,
S