Adding write permissions to a folder using powershell

As part of our deployment process, we need to give an IIS app pool identity write permissions on a log folder.

There are a few articles describing how to set permissions using powershell, but getting the incantation exactly right was a bit tricky.

So, for future reference, here it is:

function Set-RightsForAppPoolOnLogFolder($appPoolName, $session) {
  Write-Host "Setting app pool identity write rights on log folder"
  Invoke-Command -Args $appPool -Session $session -ErrorAction Stop -ScriptBlock {
    $logFolder = "D:\Logs"
    $acl = Get-Acl $logFolder
    $identity = "IIS AppPool\$appPoolName"
    $fileSystemRights = "Write"
    $inheritanceFlags = "ContainerInherit, ObjectInherit"
    $propagationFlags = "None"
    $accessControlType = "Allow"
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $fileSystemRights, $inheritanceFlags, $propagationFlags, $accessControlType)
    Set-Acl $logFolder $acl

Unable to generate a temporary class (result=1)

A recently deployed web service (IIS on Server 2008) was producing a YSOD with the error:

Unable to generate a temporary class (result=1)

Some cursory duckduckgo-ing suggested that the problem was a lack of permissions, for the user that IIS was running as, on the C:\Windows\Temp folder.

I compared the rights for that folder on the broken server with a working one, and the (local) IIS_IUSRS group had “special permissions”. Specifically, the right to “List folder / read data”.

Once that was set up, IIS was back in business. I presume this is something normally set up during IIS install, which either went wrong or was later corrupted.