https://wiki.grooper.com/index.php?action=history&feed=atom&title=Template%3ALeastPrivilegeAppPoolAccountsTemplate:LeastPrivilegeAppPoolAccounts - Revision history2026-06-13T05:47:47ZRevision history for this page on the wikiMediaWiki 1.42.3https://wiki.grooper.com/index.php?title=Template:LeastPrivilegeAppPoolAccounts&diff=33148&oldid=prevDgreenwood: Created page with "When installing the Grooper web client, you will need to assign an application pool identity — a Windows account under which Grooper runs. This account must be granted specific permissions to launch and operate the Grooper website. From a security standpoint, this account should be granted the minimum permissions required to function. It is unadvisable to grant full local administrator privileges to the Grooper app pool identity. '''Note:''' The user performing the i..."2026-06-11T13:51:04Z<p>Created page with "When installing the Grooper web client, you will need to assign an application pool identity — a Windows account under which Grooper runs. This account must be granted specific permissions to launch and operate the Grooper website. From a security standpoint, this account should be granted the minimum permissions required to function. It is unadvisable to grant full local administrator privileges to the Grooper app pool identity. '''Note:''' The user performing the i..."</p>
<p><b>New page</b></p><div>When installing the Grooper web client, you will need to assign an application pool identity — a Windows account under which Grooper runs. This account must be granted specific permissions to launch and operate the Grooper website.<br />
<br />
From a security standpoint, this account should be granted the minimum permissions required to function. It is unadvisable to grant full local administrator privileges to the Grooper app pool identity.<br />
<br />
'''Note:''' The user performing the installation must also have the ability to query the domain in order to enter credentials for the app pool identity during setup.<br />
<br />
{|class="wikitable"<br />
|-<br />
! Permission<br />
! Type<br />
! Where to Configure<br />
! Reason<br />
|-<br />
|colspan=4|<br />
'''''Always Required'''''<br />
|-<br />
| Read Member Of<br />
| Active Directory<br />
| Active Directory Users and Computers (or via Group Policy)<br />
| Required to check the authenticated user's group membership at login<br />
|-<br />
| Local Users Group<br />
| Local<br />
| Computer Management → Local Users and Groups → Groups → Users<br />
| Grants rights to run installed applications, including Grooper<br />
|-<br />
| File Store Access<br />
| NTFS / Share<br />
| Windows Explorer → Folder Properties → Security (NTFS) and/or Share Permissions<br />
| Read and write access to the Grooper file store location<br />
|-<br />
| Database Access<br />
| SQL Server<br />
| SQL Server Management Studio → Security → Logins → [account] → User Mapping → [GrooperDB]<br />
| Read and write access to the Grooper database. Grant '''db_datareader''' and '''db_datawriter''' on the Grooper database.<br />
|-<br />
|colspan=4|<br />
'''''Conditionally Required'''''<br />
|-<br />
| C:\Release<br />
| Local / NTFS<br />
| Windows Explorer → Folder Properties → Security<br />
| Required when implementing Object Libraries or custom scripts — grants rights to run MSBuild for compilation<br />
|-<br />
| Logon As Service<br />
| Local Security Policy<br />
| Local Security Policy → Local Policies → User Rights Assignment → Log on as a service<br />
| Required only if the app pool identity is also being used as a Grooper service account<br />
|}<br />
<br />
'''Note:''' The permissions above cover normal application operation. Elevated database rights — such as the ability to create or alter tables — are only required during initial installation or upgrades if alterations to the Grooper database tables are required or new tables are added. Furthermore, only the user running [[Grooper Command Console]] (GCC) will need these rights.</div>Dgreenwood