We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Help! Demoted server, internet user accounts deleted.

Medium Priority
448 Views
Last Modified: 2008-01-09
I just demoted my Domain server back to a workgroup member. It deleted all the user accounts and now it is prompting all users that try to access any of my server sites. When I go to IIS60, under permissions it lists two unknown accounts which were the IUSER_servername and the IWAN_servername accounts. How would I regenerate those accounts so anonymous users can connect again? Server has FP2002 Extensions and SharePoint 2.0. Windows Server 2003.
Comment
Watch Question

in IIS itself you can allow anonymous users to access your website
CERTIFIED EXPERT

Commented:
restart your IISAdmin Service.

Author

Commented:
The IIS does not see any IUSER or IWAN accounts because Windows deleted those accounts off the machine. I am looking for How to recreate them. I just found a procedure at MS which covers removinng IIS and reinstalling it. It then should recreate those two accounts, according to Mr. Gates???
CERTIFIED EXPERT

Commented:
That is the other way of doing it to re-install IIS

Author

Commented:
OK, the reinstall of IIS created the two accounts in question and I restored the configuration backup. Now all the sites are set to Anonymous access but when anyone hits the sites they get prompted for a userid and password. I'm admin on the server and they prompt me and fail? Any ideas on that?

I really hate the idea of re-doing the server just to get this straight.
Top Expert 2007

Commented:
Check your ntfs permissions: the newly created IUSR account has to be on the security access list of your folders/files.

Author

Commented:
Can you tell me how to go about checking that? I'll admit I'm not a server person at heart... It was fun at first but is quickly becoming a real task.

Author

Commented:
Additional info: As I mentioned at the start this is a server which was demoted from being the Domain Controller. I then joined it to my home workgroup. I did notice that in the machine name it still says DFH.HOME? is it possible that it still thinks it belongs to the old Domain and that is causing the problem? If so, how would I go about getting it to belong to the HOME workgroup like the other machines?
Top Expert 2007

Commented:
Right click your folder, select Properties, go to Security, add the necessary permissions.
For the name, go to System Properties > Computer Name > Change.
You will see there if it's a member of a domain or a workgroup.
Change accordingly.

Author

Commented:
Ok, wasn't sure if I was going about it correctly. I did your steps and the sites still prompt for a login. I have installed the MS Authentication and Access Control Diagnostics software and run it. It comes up with almost nothing but red X's across the board? iguess if I could read it properly, I might figure it all out. The problem seems to be with the anonymous login. If I use my name and password I get any of the sites fine. I created a 'test" account and can hit the sites with it also. The software will test each site ans it then produces a XML log file.
Top Expert 2007

Commented:
Right Click on your web site
Select the 'Directory Security' tab
Click 'Edit'
Check 'Enable Anonymous Access'
Browse to the 'IUSR_<machinename>' account
If your NTFS permissions are correct, you shouldn't be prompted anymore.

Author

Commented:
Already did that and the IUSER_servername is selected. Intergrated Windows Authentication is checked. I've also just synced the Metabase password with that account for all the sites using the adsutil.vbs, still no good. I have a feeling I'm fighting a lost cause. I think it is all that Windows did not "clean up" very well when Demoting the server. I have noticeed that it created another Admin account on the machine also. I now have an Administrator and a Administrator.servername directory under the Documents and Settings folder.All the icons which were on the Admin's Desktop disappeared with the new Admiin account. I had to copy them over from the original Admin folder?? Guess I'll plan the weekend for building a new server. Thanks for all your input on this.
Top Expert 2007

Commented:
Uncheck 'Integrated Windows Authentication'
The Administrator profile is the one created when the server was first installed.
The Administrator.servername was created after the server was demoted.
It's completely normal.

Author

Commented:
I have unchecked that box on three of the sites and now I do not get prompted but says a http 401 error. We are one step closer at this point, thanks. Looking like a permissions problem?
Top Expert 2007

Commented:
Yes, give your anonymous user at least read permissions on your folders.

Author

Commented:
I have included the IUSER account at the Upper most directory, all sites are below that, and I checked each site in IIS and Read is checked but still get this error. HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials?
Top Expert 2007
Commented:
Check that the permissions are inherited by the sub directories.
In the directory security authentication tab, make sure that you entered the correct user for anonymous access and the password. If necessary, reset the user's password in computer management AND IIS.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Quick question: When I ran the MS auth & Access Diags, it showed that Kerberos is being used, isn't mostly for within Domains? Any chance that could cause all this? I'm getting dangerous now, I'm actually reading the docs! That item is what threw up all the red flags in the diags.

Author

Commented:
Here is one line out of the test for Authentication.

must be domain member                    Path:W3SVC
                                                          AuthType:Kerberos
There is no domain any more.
Top Expert 2007

Commented:
Kerberos will be used if you enable Integrated Authentication.
Make sure to deselected it on the root and every virtual directory.

Author

Commented:
I'm pretty sure I did that already but I'll check again. Would it help if I upload the test results XML file that the Auth & Access Diags saved? You may make more sense out of it then I am.

Author

Commented:
The problem is fixed, I rebuilt the server and all is working fine now. Thanks for you assistance.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.