One fine morning on Friday, we were reported an issue with IIS. The issue was that the application pools in IIS is getting stopped once the related website is browsed, hence resulting in HTTP Error 503 : Service Unavailable. It was also reported that the development team has not done anything specific in their code, which means issue is unexpected.
I started investigating the issue from Event Logs in windows. I could find a related event there as shown below:
From the above event, I got an idea of what the issue is, either the credentials are wrong or it is something to be done with group policy (Log on as batch rights). I was pretty sure that for the service accounts associated with the application pool, we would give Password Never Expires in Active Directory.
The first step I did was to check the credentials set in the application pool. I cleared the preset credentials (by changing the App Pool Identity to some Built-In account) and again I entered the credentials manually. Starting the application pool and browsing the site resulted in the same error. So, again it was not an issue with the credentials.
Second step I tried was checking the group policy of this web server. I couldn’t find any group policy applied as batch logon rights. In RSOP, I could see for only one setting domain wide policy is set whereas for other GP settings, local wide is selected.
Googling was my next trial and I saw this post. From the link, I could understand that from IIS7 all the credentials set against application pool is mapped to IIS_IUSRS group. And this group is a member of Logon as a batch job group policy.
Again validating the group policy (both local and domain wide), I could find the issue. For resolving another issue, I applied a domain wide policy in Logon as a batch job, on the previous day and this overrode the local domain policy applied in the web server. Once I rolled back the change in domain wide policy, the application pool started working fine.
IIS Group and its policies was a new information for me and hence posting this issue with its full details here, hoping that it would help anyone in this world. Know more about Group Policies and its application here.