Solved

Missing IUSR account to show up on Windows Server 2008

Posted on 2008-10-02
10
7,339 Views
Last Modified: 2011-09-20
Hi,

We have a Windows Server 2008 box running as a secondary domain controller, our primary domain controller is a Windows Server 2003 machine and both the domain and forest functional levels are set to 2003. We have subsequently installed IIS7 for some internal test projects, however when setting up the first site we discovered that the box seemed to be missing both the IUSR and IIS_IUSRS built-in accounts. Obviously we need these accounts to set the permissions correctly for any web applications we choose to setup.

After some investigation, I discovered link text, with an associated JScript file to run to resolve the issue, unfortunately after running the script and rebooting, the IUSR account is still missing. (The IIS_IUSRS account has been restored)

Any ideas on how to resolve this would be much appreciated.

Thanks.
0
Comment
Question by:mattskiver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
10 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22626719
What we did was since the IUSR was a built-in account that was local. Once you promote the server it will disable the local users and groups so we ended up adding them to Active Directory.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628532
I have no problem with this - I'm running 2008 Standard with as a primary DC and it has IIS on it - the IUSR account shows up fine.
If I were you I'd uninstall the IIS role, restart the computer, and then re-add it. This will solve your problem by restoring all IIS accounts to their defaults.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22628631
@Pugglewuggle

Good point I didn't even pay attention to that is 2008. I know in 2003 if you make the server a DC then it will disable all local accounts including the built-in accounts. I will have to check on 2008 machine to see what the status is with this now.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628912
Yes, 2008 doesn't erase local accounts, but go ahead and do what I said as far as uninstalling and reinstalling IIS, okay mattskiver?
Cheers!
0
 

Author Comment

by:mattskiver
ID: 22632900
Hi,  

Thanks for your suggestions, unfortunately removing the IIS role, rebooting, and re-adding it didn't help.  This is a known problem with Windows Server 2008 domain controllers running in a Windows Server 2000 / 2003 domain. The script we ran and the technical description of the problem can be found at http://support.microsoft.com/kb/946139 Unfortunately we still don't have the IUSR account.  If anyone has any other suggestions, they would be much appreciated.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 250 total points
ID: 22633683
We added it to our AD domain to fix this issue in 2003 and kept it this way when we started implementing 2008 servers.
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 250 total points
ID: 22635842
I suppose that would work... the only problem then is that all machines on the whole domain share the IUSR account and a break in any one of them can potentially allow a hacker to compromise every computer on the domain with that IUSR account since they all have the same password.
Try to consider these things so you don't accidentally open a security hole... or in this case a security cave.
Cheers! :)
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22635937
Yes, that is true. The local users and group module has been disabled if the server is a DC until Server 2008. I like that it's not disabled anymore for this reason. If you demote a server to a member server then you recreate the local users and groups which removes the domain users out of the permissions.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question