?
Solved

Missing IUSR account to show up on Windows Server 2008

Posted on 2008-10-02
10
Medium Priority
?
7,387 Views
Last Modified: 2011-09-20
Hi,

We have a Windows Server 2008 box running as a secondary domain controller, our primary domain controller is a Windows Server 2003 machine and both the domain and forest functional levels are set to 2003. We have subsequently installed IIS7 for some internal test projects, however when setting up the first site we discovered that the box seemed to be missing both the IUSR and IIS_IUSRS built-in accounts. Obviously we need these accounts to set the permissions correctly for any web applications we choose to setup.

After some investigation, I discovered link text, with an associated JScript file to run to resolve the issue, unfortunately after running the script and rebooting, the IUSR account is still missing. (The IIS_IUSRS account has been restored)

Any ideas on how to resolve this would be much appreciated.

Thanks.
0
Comment
Question by:mattskiver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
10 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22626719
What we did was since the IUSR was a built-in account that was local. Once you promote the server it will disable the local users and groups so we ended up adding them to Active Directory.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628532
I have no problem with this - I'm running 2008 Standard with as a primary DC and it has IIS on it - the IUSR account shows up fine.
If I were you I'd uninstall the IIS role, restart the computer, and then re-add it. This will solve your problem by restoring all IIS accounts to their defaults.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22628631
@Pugglewuggle

Good point I didn't even pay attention to that is 2008. I know in 2003 if you make the server a DC then it will disable all local accounts including the built-in accounts. I will have to check on 2008 machine to see what the status is with this now.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628912
Yes, 2008 doesn't erase local accounts, but go ahead and do what I said as far as uninstalling and reinstalling IIS, okay mattskiver?
Cheers!
0
 

Author Comment

by:mattskiver
ID: 22632900
Hi,  

Thanks for your suggestions, unfortunately removing the IIS role, rebooting, and re-adding it didn't help.  This is a known problem with Windows Server 2008 domain controllers running in a Windows Server 2000 / 2003 domain. The script we ran and the technical description of the problem can be found at http://support.microsoft.com/kb/946139 Unfortunately we still don't have the IUSR account.  If anyone has any other suggestions, they would be much appreciated.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 1000 total points
ID: 22633683
We added it to our AD domain to fix this issue in 2003 and kept it this way when we started implementing 2008 servers.
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 1000 total points
ID: 22635842
I suppose that would work... the only problem then is that all machines on the whole domain share the IUSR account and a break in any one of them can potentially allow a hacker to compromise every computer on the domain with that IUSR account since they all have the same password.
Try to consider these things so you don't accidentally open a security hole... or in this case a security cave.
Cheers! :)
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22635937
Yes, that is true. The local users and group module has been disabled if the server is a DC until Server 2008. I like that it's not disabled anymore for this reason. If you demote a server to a member server then you recreate the local users and groups which removes the domain users out of the permissions.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question