Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Missing IUSR account to show up on Windows Server 2008

Posted on 2008-10-02
10
Medium Priority
?
7,450 Views
Last Modified: 2011-09-20
Hi,

We have a Windows Server 2008 box running as a secondary domain controller, our primary domain controller is a Windows Server 2003 machine and both the domain and forest functional levels are set to 2003. We have subsequently installed IIS7 for some internal test projects, however when setting up the first site we discovered that the box seemed to be missing both the IUSR and IIS_IUSRS built-in accounts. Obviously we need these accounts to set the permissions correctly for any web applications we choose to setup.

After some investigation, I discovered link text, with an associated JScript file to run to resolve the issue, unfortunately after running the script and rebooting, the IUSR account is still missing. (The IIS_IUSRS account has been restored)

Any ideas on how to resolve this would be much appreciated.

Thanks.
0
Comment
Question by:mattskiver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
10 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22626719
What we did was since the IUSR was a built-in account that was local. Once you promote the server it will disable the local users and groups so we ended up adding them to Active Directory.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628532
I have no problem with this - I'm running 2008 Standard with as a primary DC and it has IIS on it - the IUSR account shows up fine.
If I were you I'd uninstall the IIS role, restart the computer, and then re-add it. This will solve your problem by restoring all IIS accounts to their defaults.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22628631
@Pugglewuggle

Good point I didn't even pay attention to that is 2008. I know in 2003 if you make the server a DC then it will disable all local accounts including the built-in accounts. I will have to check on 2008 machine to see what the status is with this now.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628912
Yes, 2008 doesn't erase local accounts, but go ahead and do what I said as far as uninstalling and reinstalling IIS, okay mattskiver?
Cheers!
0
 

Author Comment

by:mattskiver
ID: 22632900
Hi,  

Thanks for your suggestions, unfortunately removing the IIS role, rebooting, and re-adding it didn't help.  This is a known problem with Windows Server 2008 domain controllers running in a Windows Server 2000 / 2003 domain. The script we ran and the technical description of the problem can be found at http://support.microsoft.com/kb/946139 Unfortunately we still don't have the IUSR account.  If anyone has any other suggestions, they would be much appreciated.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 1000 total points
ID: 22633683
We added it to our AD domain to fix this issue in 2003 and kept it this way when we started implementing 2008 servers.
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 1000 total points
ID: 22635842
I suppose that would work... the only problem then is that all machines on the whole domain share the IUSR account and a break in any one of them can potentially allow a hacker to compromise every computer on the domain with that IUSR account since they all have the same password.
Try to consider these things so you don't accidentally open a security hole... or in this case a security cave.
Cheers! :)
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22635937
Yes, that is true. The local users and group module has been disabled if the server is a DC until Server 2008. I like that it's not disabled anymore for this reason. If you demote a server to a member server then you recreate the local users and groups which removes the domain users out of the permissions.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question