Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7644
  • Last Modified:

Missing IUSR account to show up on Windows Server 2008

Hi,

We have a Windows Server 2008 box running as a secondary domain controller, our primary domain controller is a Windows Server 2003 machine and both the domain and forest functional levels are set to 2003. We have subsequently installed IIS7 for some internal test projects, however when setting up the first site we discovered that the box seemed to be missing both the IUSR and IIS_IUSRS built-in accounts. Obviously we need these accounts to set the permissions correctly for any web applications we choose to setup.

After some investigation, I discovered link text, with an associated JScript file to run to resolve the issue, unfortunately after running the script and rebooting, the IUSR account is still missing. (The IIS_IUSRS account has been restored)

Any ideas on how to resolve this would be much appreciated.

Thanks.
0
mattskiver
Asked:
mattskiver
  • 4
  • 3
2 Solutions
 
Darius GhassemCommented:
What we did was since the IUSR was a built-in account that was local. Once you promote the server it will disable the local users and groups so we ended up adding them to Active Directory.
0
 
PugglewuggleCommented:
I have no problem with this - I'm running 2008 Standard with as a primary DC and it has IIS on it - the IUSR account shows up fine.
If I were you I'd uninstall the IIS role, restart the computer, and then re-add it. This will solve your problem by restoring all IIS accounts to their defaults.
0
 
Darius GhassemCommented:
@Pugglewuggle

Good point I didn't even pay attention to that is 2008. I know in 2003 if you make the server a DC then it will disable all local accounts including the built-in accounts. I will have to check on 2008 machine to see what the status is with this now.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
PugglewuggleCommented:
Yes, 2008 doesn't erase local accounts, but go ahead and do what I said as far as uninstalling and reinstalling IIS, okay mattskiver?
Cheers!
0
 
mattskiverAuthor Commented:
Hi,  

Thanks for your suggestions, unfortunately removing the IIS role, rebooting, and re-adding it didn't help.  This is a known problem with Windows Server 2008 domain controllers running in a Windows Server 2000 / 2003 domain. The script we ran and the technical description of the problem can be found at http://support.microsoft.com/kb/946139 Unfortunately we still don't have the IUSR account.  If anyone has any other suggestions, they would be much appreciated.
0
 
Darius GhassemCommented:
We added it to our AD domain to fix this issue in 2003 and kept it this way when we started implementing 2008 servers.
0
 
PugglewuggleCommented:
I suppose that would work... the only problem then is that all machines on the whole domain share the IUSR account and a break in any one of them can potentially allow a hacker to compromise every computer on the domain with that IUSR account since they all have the same password.
Try to consider these things so you don't accidentally open a security hole... or in this case a security cave.
Cheers! :)
0
 
Darius GhassemCommented:
Yes, that is true. The local users and group module has been disabled if the server is a DC until Server 2008. I like that it's not disabled anymore for this reason. If you demote a server to a member server then you recreate the local users and groups which removes the domain users out of the permissions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now