Hi, The IIS BPA advises that the ideity of the app pool serving the powershell app pool should be changed to a lower privaleged app pool. Is this a good idea? will it break BRAC if I did?? Thanks Martin

Naw for Exchange you leave it alone. http://technet.microsoft.com/en-us/library/dd535385(v=exchg.80)James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi James, The link you gave goes to a 404 Regards, Martin

doh!James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

The majority of code executed as part of a Web application is executed in the context of the IIS worker process and typically runs under the identity configured for the application pool. Therefore, using a least privilege application pool identity is the primary way to constrain the privileges and rights granted to the application code. When using authentication schemes that produce Windows tokens, such as Windows Authentication or Basic Authentication, be aware that when highly privileged users access your application, it will execute with higher privileges than intended. Therefore, it is recommended that you do not allow users that have administrative privileges on the server to access your application.Noya Lau TechNet Community Support