Hi, The IIS BPA advises that the ideity of the app pool serving the powershell app pool should be changed to a lower privaleged app pool. Is this a good idea? will it break BRAC if I did?? Thanks Martin

Naw for Exchange you leave it alone. http://technet.microsoft.com/en-us/library/dd535385(v=exchg.80)James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi James, The link you gave goes to a 404 Regards, Martin

looks like its messing up the link when pasting, just google an application pool is running under an incorrect identity. The Microsoft Exchange Best Practices Analyzer parses the roles that are running on an Exchange Server 2007-based computer together with the Internet Information Services (IIS) application pools that are used on the server. The Best Practices Analyzer uses the results of the examination to determine whether the application pools under which each Exchange-related Web application runs are configured to run under the local System account. If an application pool is not configured to run under the local System account, the Best Practices Analyzer generates the following error message: Application pool '<ApplicationPoolName>' on server '<ServerName>' is configured to run under the wrong identity. '<ApplicationPoolName>' should run under the 'Local System' identity. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

looks like its messing up the link when pasting, just google an application pool is running under an incorrect identity. The Microsoft Exchange Best Practices Analyzer parses the roles that are running on an Exchange Server 2007-based computer together with the Internet Information Services (IIS) application pools that are used on the server. The Best Practices Analyzer uses the results of the examination to determine whether the application pools under which each Exchange-related Web application runs are configured to run under the local System account. If an application pool is not configured to run under the local System account, the Best Practices Analyzer generates the following error message: Application pool '<ApplicationPoolName>' on server '<ServerName>' is configured to run under the wrong identity. '<ApplicationPoolName>' should run under the 'Local System' identity. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

On Thu, 26 Jul 2012 20:31:52 +0000, Jamestechman wrote: >looks like its messing up the link when pasting, just google an application pool is running under an incorrect identity. Your link is missing the ".aspx" suffix. :-) http://technet.microsoft.com/en-us/library/dd535385(v=EXCHG.80).aspx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Thu, 26 Jul 2012 20:31:52 +0000, Jamestechman wrote: >looks like its messing up the link when pasting, just google an application pool is running under an incorrect identity. Your link is missing the ".aspx" suffix. :-) http://technet.microsoft.com/en-us/library/dd535385(v=EXCHG.80).aspx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

doh!James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

The majority of code executed as part of a Web application is executed in the context of the IIS worker process and typically runs under the identity configured for the application pool. Therefore, using a least privilege application pool identity is the primary way to constrain the privileges and rights granted to the application code. When using authentication schemes that produce Windows tokens, such as Windows Authentication or Basic Authentication, be aware that when highly privileged users access your application, it will execute with higher privileges than intended. Therefore, it is recommended that you do not allow users that have administrative privileges on the server to access your application.Noya Lau TechNet Community Support