I do have Entourage2008 clients if this fits into the picture. Server is Hub/Mailbox/CAS Roles. Root web site dies constantly with the following in the event log: - System - Provider [ Name] Microsoft-Windows-IIS-W3SVC-WP [ Guid] {670080D9-742A-4187-8D16-41143D1290BD} [ EventSourceName] W3SVC-WP - EventID 2297 [ Qualifiers] 49152 Version 0 Level 2 Task 0 Opcode 0 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2008-11-15T10:52:17.000Z EventRecordID 61838 Correlation - Execution [ ProcessID] 0 [ ThreadID] 0 Channel Application Computer mail.domain.com Security - EventData ApplicationPool DefaultAppPool ConfigException Cannot read configuration file due to insufficient permissions FileName \\?\C:\inetpub\temp\apppools\DefaultAppPool.config LineNumber 0 05000000 DefaultAppPool runs with the Network Service identity, which I have manually given NTFS read permission to the Network Service for the DefaultAppPool.config file. When the pool is stopped, I find that the read permission is gone. Granting permission lasts a day sometimes, but eventually the pool stops again. I have gone so far as grant the same permission to the apppools folder and set objects within to inherit permissions. It still loses the Network Service permission on the DefaultAppPool.config file. This is driving me nuts. What could be stripping the permissions?

Hi, The Network Service account is a built-in account that has fewer access rights on the system, if you want to modify and to view NTFS permissions for files or folders, then please try to use Icacls.exe to grant permission and view the permission. Besides, you can try to specify an identity for an application pool which has more permission. Note: By default, the DefaultAppPool application pool runs under the Network Service account. This account is local to the computer, and this account does not exist on another computer. Therefore, make sure that you configure the DefaultAppPool application pool to use an account that is a domain user. Then, you can use the same account on the UNC file server. Alternatively, you can create a workgroup account on the UNC file server and on the computer that is running IIS 7.0. About Icacls, you can refer to the article below: Icacls http://technet.microsoft.com/en-us/library/cc753525.aspx Hope it helps. Xiu