question

NunoSilva-1393 avatar image
0 Votes"
NunoSilva-1393 asked NunoSilva-1393 answered

Is it possible to set permissions to SMTP Metabase from command line? How?

I have a webapp that runs on IIS. This webapp uses a local smtp server to send emails, and is running as ApplicationPool Identity. Natively, this account doesn't have access to SMTP metabase, and I can't send emails, as some actions read information from there.
What I have to do, is to install IIS Resources Kit Tools, and use Metabase Explorer to set the permissions over LM/SmtpSvc and LM/SmtpSvc/1

I am automating server deploys, and I have everything automated, except this part. I need to automate adding IIS_IUSRS to this 2 locations as read, but haven't found a way. Maybe some wmi script?

Does anyone know how to achieve this?

Thanks
Nuno

windows-server-iis
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

BruceZhang-MSFT avatar image
0 Votes"
BruceZhang-MSFT answered

Hi @NunoSilva-1393 ,

The ApplicationPoolIdentity accounts are hidden accounts that have dynamically assigned SID's (created and assigned when the ApplicationPool is started). But the accounts live as (hidden) users under the IIS_IUSRS group on the local machine (this makes giving them permissions to the AppPools pretty easy, since you can use the normal GUI interface for perms or use scripts while specifying the local user group).

Use a Metabase Permissions modifier (Metabase Explorer works, so does METAACL.VBS from 2003), Open LM\SMTPSVC and SMTPSVC\1 and add IIS_IUSRS with read permissions to those branches of the metabase.

 cscript metaacl.vbs IIS://LOCALHOST/SMTPSVC %computername%\IIS_IUSRS R
 cscript metaacl.vbs IIS://LOCALHOST/SMTPSVC/1 %computername%\IIS_IUSRS R

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Best regards,
Bruce Zhang


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NunoSilva-1393 avatar image
0 Votes"
NunoSilva-1393 answered

Hey Bruce! Thanks for the help.

Also as another way of doing it, what I did as a workaround was to export the metadatabase from another server using the script found here -> https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525669(v=vs.90)

Then I imported it, and with a powershell script I updated the settings I needed to update.

But, from what I understand, the metabase permissions modifier requires to install the iis resource toolkit, right? I'd have to find a way to automate that installation to have that great solution work! Still, guess I'm going to give a bit more of investigation, to see if I implement it that way!

Thanks,
Nuno

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.