Solved

Missing IUSR account to show up on Windows Server 2008

Posted on 2008-10-02
10
7,227 Views
Last Modified: 2011-09-20
Hi,

We have a Windows Server 2008 box running as a secondary domain controller, our primary domain controller is a Windows Server 2003 machine and both the domain and forest functional levels are set to 2003. We have subsequently installed IIS7 for some internal test projects, however when setting up the first site we discovered that the box seemed to be missing both the IUSR and IIS_IUSRS built-in accounts. Obviously we need these accounts to set the permissions correctly for any web applications we choose to setup.

After some investigation, I discovered link text, with an associated JScript file to run to resolve the issue, unfortunately after running the script and rebooting, the IUSR account is still missing. (The IIS_IUSRS account has been restored)

Any ideas on how to resolve this would be much appreciated.

Thanks.
0
Comment
Question by:mattskiver
  • 4
  • 3
10 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22626719
What we did was since the IUSR was a built-in account that was local. Once you promote the server it will disable the local users and groups so we ended up adding them to Active Directory.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628532
I have no problem with this - I'm running 2008 Standard with as a primary DC and it has IIS on it - the IUSR account shows up fine.
If I were you I'd uninstall the IIS role, restart the computer, and then re-add it. This will solve your problem by restoring all IIS accounts to their defaults.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22628631
@Pugglewuggle

Good point I didn't even pay attention to that is 2008. I know in 2003 if you make the server a DC then it will disable all local accounts including the built-in accounts. I will have to check on 2008 machine to see what the status is with this now.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628912
Yes, 2008 doesn't erase local accounts, but go ahead and do what I said as far as uninstalling and reinstalling IIS, okay mattskiver?
Cheers!
0
[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

 

Author Comment

by:mattskiver
ID: 22632900
Hi,  

Thanks for your suggestions, unfortunately removing the IIS role, rebooting, and re-adding it didn't help.  This is a known problem with Windows Server 2008 domain controllers running in a Windows Server 2000 / 2003 domain. The script we ran and the technical description of the problem can be found at http://support.microsoft.com/kb/946139 Unfortunately we still don't have the IUSR account.  If anyone has any other suggestions, they would be much appreciated.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 250 total points
ID: 22633683
We added it to our AD domain to fix this issue in 2003 and kept it this way when we started implementing 2008 servers.
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 250 total points
ID: 22635842
I suppose that would work... the only problem then is that all machines on the whole domain share the IUSR account and a break in any one of them can potentially allow a hacker to compromise every computer on the domain with that IUSR account since they all have the same password.
Try to consider these things so you don't accidentally open a security hole... or in this case a security cave.
Cheers! :)
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22635937
Yes, that is true. The local users and group module has been disabled if the server is a DC until Server 2008. I like that it's not disabled anymore for this reason. If you demote a server to a member server then you recreate the local users and groups which removes the domain users out of the permissions.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
GPO Delegation 4 30
VMware Black Screen 13 85
Cannot upload files above 1mb IIS7 11 39
romain user profiles for windows users 22 63
If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now