The legacy wiki pages are here for reference purposes only.
For up-to-date information make sure to check the documentation section.

Setting Permissions using ICACLS

This howto has been copied from Mark's Memory Leak. I hope he doesn't mind, but it is a really nice and easy way of setting the correct permissions when installing umbraco.

http://memoryleak.me.uk/2009/01/set-umbraco-folder-permissions-on.html

Execute the following from a commandline (with administrator permissions) inside the root folder.

NOTE: If you are using Windows 2008 Server/Windows Vista (IIS 7.0+) or newer, please read the "Setting Permissions for ApplicationPoolIdentity" section.

REM Following line in original script incorrectly sets all child folder permissions
REM icacls . /grant "NETWORK SERVICE":(OI)(CI)M
icacls app_code /grant "NETWORK SERVICE":(OI)(CI)RX
icacls app_browsers /grant "NETWORK SERVICE":(OI)(CI)RX
icacls app_data /grant "NETWORK SERVICE":(OI)(CI)M
icacls bin /grant "NETWORK SERVICE":(OI)(CI)M
icacls config /grant "NETWORK SERVICE":(OI)(CI)M
icacls css /grant "NETWORK SERVICE":(OI)(CI)M
icacls data /grant "NETWORK SERVICE":(OI)(CI)M
icacls masterpages /grant "NETWORK SERVICE":(OI)(CI)M
icacls media /grant "NETWORK SERVICE":(OI)(CI)M
icacls python /grant "NETWORK SERVICE":(OI)(CI)M
icacls scripts /grant "NETWORK SERVICE":(OI)(CI)M
icacls umbraco /grant "NETWORK SERVICE":(OI)(CI)M
icacls usercontrols /grant "NETWORK SERVICE":(OI)(CI)M
icacls xslt /grant "NETWORK SERVICE":(OI)(CI)M
icacls views /grant "NETWORK SERVICE":(OI)(CI)M
icacls web.config /grant "NETWORK SERVICE":(OI)(CI)M
icacls web.config /grant "
NETWORK SERVICE":M
REM If you have installed the Robots.txt editor package you need the following line too
icacls robots.txt /grant "
NETWORK SERVICE":M

You can also make a bat file by copying the above code into a txt file, and then give it a ".bat" or ".cmd" extension.

If you are running XP Pro you can use the file below which uses cacls rather than the newer icacls. This can be used with the context menu support option mentioned below too.

:: Hope you enjoy this one
:: Sets up the right folder permissions for Umbraco to run
:: Inspired by http://blog.mattbrailsford.com/2010/08/01/adding-a-windows-context-menu-item-to-set-umbraco-folder-permissions/
:: from the boys at Offroadcode.com
ECHO OFF
SET which_user="%computername%\ASPNET"
ECHO ON
cacls "%CD%" /E /G %which_user%:C
cacls "%CD%\app_code" /E /G %which_user%:F
cacls "%CD%\app_browsers" /E /G %which_user%:F
cacls "%CD%\app_data" /E /G "%which_user%:C
cacls "%CD%\bin" /E /G "which_user%:R
cacls "%CD%\config" /E /G "which_user%:C
cacls "%CD%\css" /E /G "%which_user%:C
cacls "%CD%\data" /E /G "%which_user%:C
cacls "%CD%\masterpages" /E /G "%which_user%:C
cacls "%CD%\media" /E /G "%which_user%:C
cacls "%CD%\python" /E /G "%which_user%:C
cacls "%CD%\scripts" /E /G "%which_user%:C
cacls "%CD%\umbraco" /E /G "%which_user%:R
cacls "%CD%\usercontrols" /E /G "%which_user%:R
cacls "%CD%\xslt" /E /G "%which_user%:C
cacls "%CD%\web.config" /E /G "%which_user%:C
::Uncomment below if testing
::PAUSE

Setting Permissions for ApplicationPoolIdentity

With Windows Server 2008 and IIS 7.x, Microsoft introduced the ApplicationPoolIdentity concept for better security in web sites. You can read more about it at the following blog post: http://blogs.msdn.com/b/vijaysk/archive/2009/02/13/goodbye-network-service.aspx

When creating a new website in IIS 7, the identity for the Application Pool is by default set to ApplicationPoolIdentity.
This will throw errors around when you extract the Umbraco files and try to load the page.
To fix these errors, simply change the user in the batch script above from

NETWORK SERVICE

to

IIS APPPOOL\{application-pool-name}

where {application-ppol-name} is the name of the Application Pool which your website is running under.

For a less secure, but more reusable script, you could also change

NETWORK SERVICE

to

IIS_IUSRS

which will give all app pool identities access, rather than just the website specific app pool identity (similar to the old NETWORK SERVICE account).

Alternative Method using SetAcl

You can also use the open source SetAcl application for setting the permissions and this will allow you to also set the permissions on the web.config file, it has been blogged about on Chris Houston's blog:

Umbraco Permissions Script - Secure Version

Adding Context menu support within Windows Explorer

Follow this guide made by Matt Brailsford:

http://blog.mattbrailsford.com/2010/08/01/adding-a-windows-context-menu-item-to-set-umbraco-folder-permissions/

Setting Permissions with PowerShell

The script below has been tested with Windows 2008 R2.

 

$PhysicalPath = "C:\www\Umbraco"
$appPoolAccount = "IIS APPPOOL\{application-pool-name}"
$readExecute = $appPoolAccount,"ReadAndExecute","ContainerInherit, ObjectInherit","None","Allow"
$read = $appPoolAccount,"Read","ContainerInherit, ObjectInherit","None","Allow"
$modify = $appPoolAccount,"Modify","ContainerInherit, ObjectInherit","None","Allow"
$fileModify = $appPoolAccount,"Modify","Allow"
$objects = @{}
$objects["app_browsers"] = $readExecute
$objects["app_code"] = $readExecute
$objects["app_data"] = $modify
$objects["bin"] = $read
$objects["config"] = $modify
$objects["css"] = $modify
$objects["data"] = $modify
$objects["images"] = $modify
$objects["masterpages"] = $modify
$objects["media"] = $modify
$objects["scripts"] = $modify
$objects["umbraco"] = $modify
$objects["usercontrols"] = $read
$objects["web.config"] = $fileModify
$objects["xslt"] = $modify
foreach($object in $objects.Keys) {
    $path = Join-Path $PhysicalPath $object
    $acl = Get-ACL $path
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($objects[$object])
    $acl.AddAccessRule($rule)
    Set-Acl $path $acl
    Get-Acl $path | Format-List
}



Setting Umbraco 7 Permissions with PowerShell

The script below has been tested with Windows 7.

$PhysicalPath = "C:\inetpub\wwwroot\Umbraco"
$appPoolAccount = "IIS APPPOOL\{application-pool-name}"
$readExecute = $appPoolAccount,"ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow"
$read = $appPoolAccount,"Read","ContainerInherit,ObjectInherit","None","Allow"
$modify = $appPoolAccount,"Modify","ContainerInherit,ObjectInherit","None","Allow"
$fileModify = $appPoolAccount,"Modify","Allow"
$objects = @{}
$objects["App_Browsers"] = $readExecute
$objects["App_Code"] = $modify
$objects["App_Data"] = $modify
$objects["App_Plugins"] = $modify
$objects["bin"] = $modify
$objects["Config"] = $modify
$objects["Css"] = $modify
$objects["MacroScripts"] = $modify
$objects["Masterpages"] = $modify
$objects["Media"] = $modify
$objects["Scripts"] = $modify
$objects["Umbraco"] = $modify
$objects["Umbraco_Client"] = $modify
$objects["UserControls"] = $modify
$objects["Views"] = $modify
$objects["Web.config"] = $fileModify
$objects["Xslt"] = $modify
foreach($object in $objects.Keys){
    $path = Join-Path $PhysicalPath $object
    $acl = Get-ACL $path
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($objects[$object])
    $acl.AddAccessRule($rule)
    Set-Acl $path $acl
    Get-Acl $path | Format-List
}



Our.umbraco.org is the community mothership for Umbraco, the open source asp.net cms. With a friendly forum for all your questions, a comprehensive documentation and a ton of packages from the community. This site is running Umbraco version 7.5.0-beta2