Is it possible to set permissions to SMTP Metabase from command line? How?

Nuno Silva 21 Reputation points

I have a webapp that runs on IIS. This webapp uses a local smtp server to send emails, and is running as ApplicationPool Identity. Natively, this account doesn't have access to SMTP metabase, and I can't send emails, as some actions read information from there.
What I have to do, is to install IIS Resources Kit Tools, and use Metabase Explorer to set the permissions over LM/SmtpSvc and LM/SmtpSvc/1

I am automating server deploys, and I have everything automated, except this part. I need to automate adding IIS_IUSRS to this 2 locations as read, but haven't found a way. Maybe some wmi script?

Does anyone know how to achieve this?


Internet Information Services
0 comments No comments
{count} votes

Accepted answer
  1. Bruce Zhang-MSFT 3,676 Reputation points

    Hi @Nuno Silva ,

    The ApplicationPoolIdentity accounts are hidden accounts that have dynamically assigned SID's (created and assigned when the ApplicationPool is started). But the accounts live as (hidden) users under the IIS_IUSRS group on the local machine (this makes giving them permissions to the AppPools pretty easy, since you can use the normal GUI interface for perms or use scripts while specifying the local user group).

    Use a Metabase Permissions modifier (Metabase Explorer works, so does METAACL.VBS from 2003), Open LM\SMTPSVC and SMTPSVC\1 and add IIS_IUSRS with read permissions to those branches of the metabase.

    cscript metaacl.vbs IIS://LOCALHOST/SMTPSVC %computername%\IIS_IUSRS R  
    cscript metaacl.vbs IIS://LOCALHOST/SMTPSVC/1 %computername%\IIS_IUSRS R  

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Nuno Silva 21 Reputation points

    Hey Bruce! Thanks for the help.

    Also as another way of doing it, what I did as a workaround was to export the metadatabase from another server using the script found here ->

    Then I imported it, and with a powershell script I updated the settings I needed to update.

    But, from what I understand, the metabase permissions modifier requires to install the iis resource toolkit, right? I'd have to find a way to automate that installation to have that great solution work! Still, guess I'm going to give a bit more of investigation, to see if I implement it that way!


    0 comments No comments