The Internet Information Server (IIS) installed on a Windows NT Server machine constantly runs on the server regardless of whether there is a user currently logged on or not. To achieve this, the Web Server is written as an NT Service that starts running when the machine starts. In Windows NT, a Service needs to run in some user's Security Context and gets the Credentials (Domain, Group Memberships) of this user.
A Web Server runs in the context of the Local System account. Windows NT provides the Local System account so that Services, which need to run independently of any user, can take advantage of this built-in account. The Local Systems account has default security privileges and no credentials. Because of this, the service running in the Local System account has limited network access and uses Null sessions to access any resource on the network. However, DirectScript objects require that the user credentials be available in order to get information from the Windows NT server.
The Stub Object provided with DirectScript solves this problem. The Stub object provides an Authenticate function which should be called first. This function uses user information such as the domain name, user name, and password passed to it, and prepares the Web Server to run in the context of the user who wants to use DirectScript objects. The Authenticate function requires that you have some specific user rights set on the Web Server. These rights need to be given to the user whose name is specified in the Authenticate function. The rights can be given to a user by using the Domain Security Policy tool that comes with Windows and selecting the User Rights Assignment in the Local Policies menu.
You need to give the rights listed below. Please note that the first three rights are Advanced User Rights and can only be seen when you select the Show Advanced User Rights in the User Rights Policy dialog box.
Act as part of the operating system
Replace a process level token
Log on locally