Web Deploy setAcl Provider

Applies To: Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP


The setAcl provider sets permissions on a destination folder.


msdeploy.exe -verb:sync -source:setacl -dest:setacl="Default Web Site",setacluser=ApplicationPoolIdentity,setaclaccess=Read

Argument settings

The setAcl provider accepts the following argument settings.

  • A site path (for example, "Default Web Site" or MySite)

  • An application path (for example, "Default Web Site/MyApp"or MySite/MyApp/default.htm)

  • A directory path (for example, c:\mydirectory)

  • A file path (for example, c:\mydirectory\test.htm)

If the path you specify contains a forward slash, Web Deploy will assume that the path is an application or site path and will attempt to map it to the corresponding home directory. If the path you specify contains a backslash (for example, C:\ ), Web Deploy will assume that the path is a physical path. UNC paths and mapped network drives are supported. Environment variables like %windir% are supported, but wildcard characters are not. If the path contains spaces, the path must be enclosed in double quotation marks. Trailing backslashes are not permitted.


Relative paths like ./mypath or . are not accepted.


For IIS 7, the setAcl provider relies on the ability of the caller to read the ApplicationHost.config file whenever you specify an application path. Impersonation of a user account that has access to read properties in the ApplicationHost.config file is required. For IIS 6.0, this provider relies on the ability of the caller to read the MetaBase.xml file. Because there is no impersonation service on IIS 6.0, you may have to run this provider as administrator whenever you specify an application path.

Provider Settings

The setAcl provider has three optional settings: setAclAccess, setAclIsFile, and setAclUser.


Specifies the file system permission(s) to be granted to the user. The default is Read.

Usage: ,setAclAccess=<AclAccess>[,<AclAccess>,…]

The value for <AclAccess> must be one of the following: AppendData, ChangePermissions, CreateDirectories, CreateFiles, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, FullControl, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes.


Specifies whether permissions are to be set on a file or on a folder.

Usage: ,setAclResourceType=<ResourceType>

<ResourceType> is either Directory or File. The default value is Directory.


Specifies the name of the user account for the specified path.

Usage: ,setAclUser=<username>

The value for <username> must be a valid user account or a built-in account such as NetworkService. The anonymous authentication user can be specified with the value "anonymousAuthenticationUser". The default value is ApplicationPoolIdentity.


In a dump operation, if you specify the -xml operation setting, the returned attributes will include the username or Security Identifier (setAclUser attribute) and permissions (setAclAccess attribute) of the specified path.


If you specify a directory or filepath, you must also specify the setAclUser provider setting.


In a sync operation, setAcl will set the specified permissions on the specified destination path for the specified user. If no user is specified, the ApplicationPoolIdentity identity will be used. If no permission is specified, Read will be used. Permissions will not be copied from the source.

Example usages

1) Display the user identity and permissions for the default Web site in XML format. The user identity will be shown in the setAclUser attribute, and the permissions will be shown in the setAclAccess attribute.

msdeploy.exe -verb:dump -source:setacl="Default Web Site" -xml

2) Grant write permission to the network service account on the destination directory C:MyDir.

msdeploy.exe -verb:sync –source:setacl -dest:setacl="c:\MyDir",setAclUser=NetworkService,setAclAccess=Write

3) Grant full control to the MySiteOwner user on the destination Web site "MySite.com".

msdeploy.exe -verb:sync –source:setacl -dest:setacl="MySite.com",setAclUser=MySiteOwner,setAclAccess=FullControl