Domain controller GPO does not deny logon locally right to..

Archived from groups: microsoft.public.dotnet.faqs,microsoft.public.dotnet.framework.aspnet,microsoft.public.win2000.group_policy (More info?)

On a domain controller, the ASPNET (v1.1) worker process (aspnet.wp.exe)
runs under the IWAM_machinename acount (IIS 5). I have expressly denied this
user the logon locally right in the domain controller GPO and yet this
profile gets created under the Document and Settings folder. The
IWAM_machinename registry hive remains loaded when the process ends. I have
to manually unload it with regedt32.exe. Is this normal behavior?

Archived from groups: microsoft.public.dotnet.faqs,microsoft.public.dotnet.framework.aspnet,microsoft.public.win2000.group_policy (More info?)

Ok, so why does IWAM_machinename registry hive remain loaded when the
aspnet_wp.exe process ends? I have to manually unload it with regedt32.exe.
Is this normal behavior?

Thanks for the tip Brian
--

"Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
news:%23kfIh8hNEHA.2844@tk2msftngp13.phx.gbl...
> Denying log on locally doesn't prevent a service logon, which is what's
> happening in this case. If you don't want the user to logon in any
scenario,
> you'll need to deny service, batch, and network logon rights too.
>
> --
> --
> Brian Desmond
> Windows Server MVP
> desmondb@payton.cps.k12.il.us
>
> Http://www.briandesmond.com
>
>
> ""Rob"" <@> wrote in message news:uV8SzYfNEHA.4036@TK2MSFTNGP12.phx.gbl...
> > On a domain controller, the ASPNET (v1.1) worker process (aspnet.wp.exe)
> > runs under the IWAM_machinename acount (IIS 5). I have expressly denied
> this
> > user the logon locally right in the domain controller GPO and yet this
> > profile gets created under the Document and Settings folder. The
> > IWAM_machinename registry hive remains loaded when the process ends. I
> have
> > to manually unload it with regedt32.exe. Is this normal behavior?
> >
> >
>
>

Archived from groups: microsoft.public.dotnet.faqs,microsoft.public.dotnet.framework.aspnet,microsoft.public.win2000.group_policy (More info?)

It doesn't

--

"Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
news6YL2C7NEHA.3752@TK2MSFTNGP12.phx.gbl...
> IWAM_MachineName is an IIS account, not an ASPNet account. IWAM should
> unload when the IISAdmin service shutsdown.
>
> --
> --
> Brian Desmond
> Windows Server MVP
> desmondb@payton.cps.k12.il.us
>
> Http://www.briandesmond.com
>
>
> ""Rob"" <@> wrote in message news:eWicuTiNEHA.4060@TK2MSFTNGP10.phx.gbl...
> > Ok, so why does IWAM_machinename registry hive remain loaded when the
> > aspnet_wp.exe process ends? I have to manually unload it with
> regedt32.exe.
> > Is this normal behavior?
> >
> > Thanks for the tip Brian
> > --
> >
> > "Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
> > news:%23kfIh8hNEHA.2844@tk2msftngp13.phx.gbl...
> > > Denying log on locally doesn't prevent a service logon, which is
what's
> > > happening in this case. If you don't want the user to logon in any
> > scenario,
> > > you'll need to deny service, batch, and network logon rights too.
> > >
> > > --
> > > --
> > > Brian Desmond
> > > Windows Server MVP
> > > desmondb@payton.cps.k12.il.us
> > >
> > > Http://www.briandesmond.com
> > >
> > >
> > > ""Rob"" <@> wrote in message
> news:uV8SzYfNEHA.4036@TK2MSFTNGP12.phx.gbl...
> > > > On a domain controller, the ASPNET (v1.1) worker process
> (aspnet.wp.exe)
> > > > runs under the IWAM_machinename acount (IIS 5). I have expressly
> denied
> > > this
> > > > user the logon locally right in the domain controller GPO and yet
this
> > > > profile gets created under the Document and Settings folder. The
> > > > IWAM_machinename registry hive remains loaded when the process ends.
I
> > > have
> > > > to manually unload it with regedt32.exe. Is this normal behavior?
> > > >
> > > >
> > >
> > >
> >
> >
>
>