Below is a more systematic way to determine which user needs to be granted permission

下面是一个更系统的方法来确定哪些用户需要被授予权限

Confirm that you have the following executables in C:\WINDOWS\SYSTEM32 (or more generically %systemroot%\system32)

确认您在 C:\WINDOWS\SYSTEM32（或更一般的 %systemroot%\system32）中有以下可执行文件

cmd.exe  
whoami.exe  

Check the current ACL for these executables

检查这些可执行文件的当前 ACL

c:\windows\system32> cacls cmd.exe  
c:\windows\system32> cacls whoami.exe  

If the user "Everyone" is not granted Read (R) access, then TEMPORARILY grant as follows

如果用户“Everyone”未被授予读取 (R) 访问权限，则按如下方式临时授予

c:\windows\system32> cacls cmd.exe /E /G everyone:R  
c:\windows\system32> cacls whoami.exe /E /G everyone:R  

Create whoami.php with the following content

使用以下内容创建 whoami.php

<?php  
$output = shell_exec("whoami");  
echo "<pre>$output</pre>";  
?>  

Load whoami.php on a web browser and note the username displayed e.g. in my case it showed

在网络浏览器上加载 whoami.php 并注意显示的用户名，例如在我的情况下它显示

ct29296\iusr_template

ct29296\iusr_template

Revoke "Everyone's" permission if it had to be added in above steps

如果必须在上述步骤中添加，则撤销“所有人”的权限

c:\windows\system32> cacls cmd.exe /E /R everyone  
c:\windows\system32> cacls whoami.exe /E /R everyone  

Grant only the username found in step 5 with the Read+Execute permission (R) to cmd.exe

仅将步骤 5 中找到的具有读取+执行权限 (R) 的用户名授予 cmd.exe

c:\windows\system32> cacls cmd.exe /E /G ct29296\iusr_template:R  

Remember to use the correct username for your own system.

请记住为您自己的系统使用正确的用户名。

See: http://www.myfaqbase.com/index.php?q=php+shell_exec&ul=0&show=f

参见：http: //www.myfaqbase.com/index.php?q=php+shell_exec&ul=0&show=f

Here's a few points:

这里有几点：

• Regarding PHP skipping the shell_execfunction, make sure that PHP is not running in safe mode. From the PHP manual - on the shell_exe page:

• 关于 PHP 跳过shell_exec功能，请确保 PHP 未在安全模式下运行。从 PHP 手册 - 在shell_exe 页面上：

Note: This function is disabled when PHP is running in safe mode.

注意：当 PHP 在安全模式下运行时，此功能被禁用。

It also appears that this is quite a known problem with executing shell commands from PHP in Windows. The consensus seems to be that the best way to get it to work is to have PHP running in FastCGI mode (I know you tried this already and said you couldn't get it to work - hence my second point). You may find this Microsoft IIS Forum threadhelpful.

这似乎也是在 Windows 中从 PHP 执行 shell 命令的一个众所周知的问题。共识似乎是让它工作的最佳方法是让 PHP 在 FastCGI 模式下运行（我知道你已经尝试过这个并说你无法让它工作 - 因此我的第二点）。您可能会发现此Microsoft IIS 论坛主题很有帮助。

• Now, as far as having to run PHP on Windows in order to authenticate against Active Directory - you don't have to!

• 现在，就必须在 Windows 上运行 PHP 以针对 Active Directory 进行身份验证而言 -您不必这样做！

Apache provides LDAP authentication via the mod_auth_ldap. And PHP provides LDAP support through the following functions:

Apache 通过mod_auth_ldap提供 LDAP 身份验证。并且 PHP 通过以下函数提供 LDAP 支持：

• ldap_connect
• ldap_bind
• ldap_search
• ldap_get_entries

• ldap_connect
• ldap_bind
• ldap_search
• ldap_get_entries

Active Directory is an implementation of LDAP. So, you with any LDAP client you can perform authentication against Active Directory.

Active Directory 是 LDAP 的一种实现。因此，您可以使用任何 LDAP 客户端对 Active Directory 执行身份验证。

• An example of how to authenticate with Active Directory from PHP.

• 如何从 PHP 使用 Active Directory 进行身份验证的示例。

P.S. You can either use the Apache mod_auth_ldap, or the PHP LDAP functions - you don't need to use both at the same time to make this work. The Apache mod_auth_ldap works at the HTTP protocol level, whereas the PHP LDAP Functions give you more control over the authentication and authorization process.

PS 您可以使用 Apache mod_auth_ldap 或 PHP LDAP 函数 - 您不需要同时使用两者来完成这项工作。Apache mod_auth_ldap 在 HTTP 协议级别工作，而 PHP LDAP 函数使您可以更好地控制身份验证和授权过程。

couple of notes

几个笔记

if you want to execute a .exe directly, you can use proc_open() with $other_options=array('bypass_shell'=>TRUE)

如果你想直接执行一个 .exe，你可以使用 proc_open() 和 $other_options=array('bypass_shell'=>TRUE)

also procmon.exe (sysinternals) is you best friend when digging into this class of problem

procmon.exe (sysinternals) 也是你在研究这类问题时最好的朋友

Unfortunately, I need to use IIS because I'm going to authenticate my users against active directory.

不幸的是，我需要使用 IIS，因为我要根据活动目录对我的用户进行身份验证。

The premise for basing your application on IIS is flawed. There's nothing to stop you doing this with Apache. Indeed, you don't even need to run it on a MS-Windows OS.

将应用程序基于 IIS 的前提是有缺陷的。没有什么可以阻止您使用 Apache 执行此操作。事实上，您甚至不需要在 MS-Windows 操作系统上运行它。

Have a google for how to set up all this up.

有一个谷歌如何设置这一切。

Note that with IIS and local clients potentially using NTLM, the security policy gets thrown out of the window. The IIS handler thread may run with the credentials of a NTLM MSIE client. Or not. Debugging this stuff will drive you mad!

请注意，对于可能使用 NTLM 的 IIS 和本地客户端，安全策略会被排除在外。IIS 处理程序线程可以使用 NTLM MSIE 客户端的凭据运行。或不。调试这些东西会让你发疯！

C.

C。

I'd say Read & Executepermission to the User thats running IIS (if thats not IUSR_MACHINENAME)

我会说Read & Execute允许运行 IIS 的用户（如果那不是 IUSR_MACHINENAME）

I added the user NETWORK SERVICE with READ & EXECUTE, READ to the directories where the executables of my application resides. Since this alteration, the problem is gone. Nevertheless, it's also neccessary to grant the permissions READ & EXECUTE, READ for IUSR_ to cmd.exe.

我将用户 NETWORK SERVICE 与 READ & EXECUTE, READ 添加到我的应用程序的可执行文件所在的目录中。自从这次改动后，问题就解决了。尽管如此，还需要将 READ & EXECUTE、IUSR_ 的 READ 权限授予 cmd.exe。

The solution I got from here http://forums.iis.net/t/1147892.aspx

我从这里得到的解决方案http://forums.iis.net/t/1147892.aspx