Sigh... security continues to befuddle users... because why would you change the Service User Account from LocalSystem to Local Administrator? Not only is the action unsupported, but the configuration does not work, and it does not help system security... so why even do it?
I run IIS 6.0 and want change Windows service (World Wide Web Publishing) log on from "Local System" to a domain account. Unfortunately I get following error:"Error 5: Access is denied."
The domain account is in the local admin group.
Do you have an idea why? Many thanks in advance.
Unfortunately, what you are attempting to do is unsupported, and the configuration fails by-design. Can you describe what you are TRYING to accomplish, not HOW you want to accomplish it.
Also, you assume that Administrators never get Access Denied... so please read the following blog entry on why that assumption is untrue.
You cannot change the service user account for any IIS service, such as the "World Wide Web Publishing" service or the "IIS Admin" service. Period. It does not matter if the replacement user account is a Local Administrator. Just because you can do something does not mean it works; we simply did not design IIS to function that way.
Besides being unsupported, changing the service user account from LocalSystem to Local Administrator does not improve security, so...
Now, if you are trying to "secure" IIS6 by making it isolate your applications with a specific domain user, that can be easily accomplished in a supported way - just not by what you are doing.
Conceptually, IIS 6 consists of four major interacting pieces - W3SVC, IISADMIN, HTTP, and W3WP.
From a security perspective, you just need to worry about the process account of W3WP that executes user code because that identity is the worst an exploit can access (I presume that you do the secure thing of configuring authenticated users, including anonymous users, to have lower privileges). And since IIS 6 uses the unprivileged Network Service by default, IIS 6 comes highly secured.
As for the user identity used to execute user code, that really depends on the application framework of the user code. This blog entry describes how user impersonation works on IIS 6.
So, really... one should never need to change the Service User Account for IIS 6 - not only is it unsupported and non-functional, it is also non-necessary because the feature already exists.