Scripting IIS7 Application Pool Configuration in Powershell

I knew that scripting the configuration of a whole environment seemed the right thing to do.  But when we were building up our testing and production environments I was new to some of the technology and we were in a hurry and…you know the rest.  I only did the easy parts.  But now we’re looking at some changes that will require a ground-up reinstall/configuration of our web and application servers.  This time around I’m going to script much more, I hope, subject to time constraints I can’t control.  Today’s topic:  IIS7 application pools.

Incidentally, for a good argument for scripting configuration, see the book I blogged about earlier, which I’m still reading.

We take most of the defaults for IIS7 app pools, overriding a few.  I plan to use Powershell code similar to this: 

   1: if (@(Get-PSSnapin | Where-Object {$_.Name -eq "WebAdministration"}).Count -eq 0)

   2: {

   3:     Add-PSSnapin WebAdministration

   4: }


   6: $cred = Get-Credential "MYDOMAIN\THEuserACCOUNTforTHEappPool"


   8: $userName = $cred.UserName

   9: $password = $cred.GetNetworkCredential().Password


  11: if (Test-Path IIS:\AppPools\MyTestAppPool)

  12: {

  13:     Remove-Item IIS:\AppPools\MyTestAppPool -Force -Recurse

  14: }


  16: $myNewPool = New-Item IIS:\AppPools\MyTestAppPool


  18: $myNewPool.processModel.userName = $userName

  19: $myNewPool.processModel.password = $password

  20: $myNewPool.processModel.identityType = "SpecificUser"

  21: $myNewPool.processModel.idleTimeout = [TimeSpan] "0.00:00:00"

  22: $myNewPool.managedRuntimeVersion = "4.0"   # or 2.0

  23: $myNewPool.recycling.periodicRestart.time = [TimeSpan] "00:00:00"


  25: $myNewPool | Set-Item


A few things to mention:

  • I have verified the correct properties in IIS Manager, and it starts fine, but nothing is using it yet.  I will update this if necessary.
  • You’ll see in the code that I’m setting the pool’s identity to a domain user.  If you do this, use the minimum possible permissions.  Consider using Application Pool Identities instead for greater security.  In fact, for the web servers (not application servers) I plan to experiment with this.  I was not familiar with it until yesterday.
  • One of the links I read seemed to indicate that using this method would leave the password in plain text in the IIS config file.  I tested it, and no, the password is encrypted as it should be.
  • Also note that I’m prompting for the credentials to use for the identity.  This keeps passwords out of the script.  In real use, the user name will vary between environments so I’ll need to pull this information from somewhere.

As is often the case I had to poke around a bit to find the information I needed.  Here are some useful links.

Powershell WebAdministration Provider Inconsistencies

The WebAdministration module for Powershell comes standard in Windows 7 and Window 2008 R2.  It is available as a snapin for older versions of Windows at  Both appear to work the same way so I’ll just refer to it as “the module.”

I’m just beginning to delve into it.  I think I’ve uncovered some functionality that I love.  But the module seems immature to me.  I may say more after I work with it more—or maybe I’ll have to correct myself.  But today’s topic is an inconsistency in the provider.


When you list the contents of a directory in which there are no web sites you get the normal output, including "Mode".  This is the same kind of output you’d get from using “Dir” on your C: drive.



If you convert one of the directories into an application, the output changes. Mode is gone, replaced by Type.


But there is no "Type" property.

Try to use it.  Notice that nothing is returned by the following statement.


Let’s see what properties actually exist.


Ah hah!  So, to list applications you need to look for "NodeType", not "Type."