About the IIS Worker Process Group in Configuration Manager
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
This group is necessary to install and operate Microsoft System Center Configuration Manager 2007 site system roles that require Internet Information Services (IIS). The IIS_WPG group account has the minimum permissions and user privileges that are necessary to start and run a worker process on a Web server. Application pool identities must be members of this group so the application pool can register with Http.sys.
Required Rights and Permissions
When you install IIS 6.0, the setup process adds an ACL to the wwwroot directory of the default Web site. This ACL gives the IIS_WPG group permission to access that directory, which means that all worker process identities in the IIS_WPG group can access the contents of this directory on the default Web site.
For more information about default permissions assigned to the IIS_WPG group, see Access Control Lists (IIS 6.0) at http://go.microsoft.com/fwlink/?LinkId=93060.
Account and Password Creation
The group is automatically created on any computer running IIS.
If the server running IIS is a member server, IIS_WPG is a local group. If the server running IIS is a domain controller, IIS_WPG is a domain local group and shared by other IIS servers, which are also domain controllers in the same domain.
The IWAM*_<computername>* account should be a member of this group.
Security Best Practices
Do not modify the default permissions granted to this group because it could stop Configuration Manager 2007 site system roles that require IIS from functioning properly.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.