• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 723
  • Last Modified:

How to run script to fix IIS 7.0 account problem

I have problem with the IIS account after settng a Windows 2008 server as domain controller. Solution has been found from the microsoft support site as below. I am not familiar with the script running. How can I create and run the sample script (shown below) as providede by Microsoft to fix the problem? Do I need to change the sample script to fit my system? Please provide detail steps for me to follow. Thanks.


You cannot resolve the built-in IIS accounts after you set a Windows Server 2008-based server that is running IIS 7.0 as a domain controller

Consider the following scenario. You have a Windows Server 2008-based server that is running Internet Information Services (IIS) 7.0. You set the Windows Server 2008-based server as a domain controller of a Windows 2000-based domain or of a Windows Server 2003-based domain. In this scenario, you cannot resolve the built-in IIS accounts, such as the IIS_IUSRS group or the IUSR guest user account. You can see only the raw security identifier (SID) of the built-in IIS accounts.

This problem occurs because the IIS 7.0 built-in accounts specification for Windows Server 2008 does not exist in earlier domains, such as Windows 2000-based domains and Windows Server 2003-based domains. When the IIS 7.0 server is set as a Windows 2000-based domain controller or a Windows Server 2003-based domain controller, the Windows Server 2008 accounts cannot be resolved

To resolve this problem, use the following sample script.
   (c) 2007, Microsoft Corp.
// Check the version of the operating system. Stop the script if the version is earlier than 6.
if ( ! CheckOSVersion() )
    WScript.Echo("ERROR: This script will only work on Longhorn Server or above.");
// Retrieve the local computer's rootDSE LDAP object.
var localRootDse = null;
    localRootDse = GetObject("LDAP://localhost/rootDSE");
    WScript.Echo("There was an error attempting to retrieve the localhost RootDSE object.");
    WScript.Echo("Perhaps this machine is not a Domain Controller on the network?");
    WScript.Echo("ErrorCode: " + e.number);
// Retrieve several rootDSE properties
var dnsHostName = localRootDse.Get("dnsHostName");
var dsServiceName = localRootDse.Get("dsServiceName");
var defaultNamingContext = localRootDse.Get("defaultNamingContext");
// Open the default naming context
var ncObj = GetObject("LDAP://" + defaultNamingContext);
// Get the "FSMO Role Owner"
var strfsmoNtdsa = ncObj.FsmoRoleOwner;
var fsmoNtdsaObj = GetObject("LDAP://" + strfsmoNtdsa);
// Get the parent object of "FSMO Role Owner"
var fsmoServerObj = GetObject(fsmoNtdsaObj.Parent);
// By using the Server Reference, retrieve the name of the PDC computer
var strFsmoComputer = fsmoServerObj.ServerReference;
var fsmoComputerObj = GetObject("LDAP://" + strFsmoComputer);
var pdcName = fsmoComputerObj.Get("name");
// Get the RootDSE object for the PDC
var pdcRootDse = GetObject("LDAP://" + pdcName + "/rootDSE");
// Check whether the PDC is a legacy domain or not.
var domainControllerFunctionality = pdcRootDse.Get("domainControllerFunctionality");
if ( domainControllerFunctionality > 2 )
    WScript.Echo("Domain is already operating in a mode higher than Windows Server 2003 mode. Stopping script execution.");
// Get the default naming context for the PDC
var pdcDefaultNamingContext = pdcRootDse.Get("defaultNamingContext");
// Retrieve the well known object from the PDC
var pdcSystem = GetObject("LDAP://" + pdcName + "/<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD," + pdcDefaultNamingContext + ">");
// Get the distinguished name for the well known object
var pdcDistinguishedName = pdcSystem.Get("distinguishedName");
// Check whether the task has already been run
var taskMarker = null;
    taskMarker = GetObject("LDAP://" + pdcName + "/<WKGUID=6ACDD74F3F314ae396F62BBE6B2DB961,CN=Server," + pdcDistinguishedName + ">");
    if ( e.number == -2147016656 ) // Check and see if error code is ERROR_DS_NO_SUCH_OBJECT
        taskMarker = null;
        WScript.Echo("Error attempting to retrieve well known object from PDC.");
        WScript.Echo("Name: " + e.name + "\nDescription: " + e.description + "\nCode: " + e.number + "\nMessage: " + e.message);
// If the well known object exists, the SAM upgrade is already running. Therefore, stop the script.
if ( taskMarker != null )
    WScript.Echo("SAM upgrade task already being run. No work done.");
// Get the Server container with that distinguished name
var serverObj = GetObject("LDAP://" + pdcName + "/CN=Server," + pdcDistinguishedName);
// Prepare a safe array (for example, VBArray) with one entry
var jsArray = new Array(1);
jsArray[0] = "B:32:6ACDD74F3F314ae396F62BBE6B2DB961:"+ dsServiceName;
var vbArray = JS2VBArray(jsArray);
    // Append an entry to the "Other-Well-Known-Objects" attribute for the
    // previous server object.
    serverObj.PutEx(3, "otherWellKnownObjects", vbArray);
    WScript.Echo("Unexpected error attempting to put the well known GUID.");
    WScript.Echo("ErrorCode: " + e.number);
WScript.Echo("Running upgrade task.");
// Set the "runSamUpgradeTasks" attribute in the local rootDSE
localRootDse.Put("runSamUpgradeTasks", 1);
// Remote the binary data from the previous well known object entry
serverObj.PutEx(4, "otherWellKnownObjects", vbArray);
// The upgrade is complete.
function CheckOSVersion()
    var wbemFlagReturnImmediately = 0x10;
    var wbemFlagForwardOnly = 0x20;
    var objWMIService = GetObject("winmgmts:\\\\.\\root\\CIMV2");
    var colItems = objWMIService.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL",
                                      wbemFlagReturnImmediately | wbemFlagForwardOnly);
    var enumItems = new Enumerator(colItems);
    for (; !enumItems.atEnd(); enumItems.moveNext()) {
        var objItem = enumItems.item();
        var fullVersion = objItem.Version;
        var indexPoint = fullVersion.indexOf(".");
        if ( indexPoint == -1 )
            return false;
        var majorVersion = fullVersion.substring(0, indexPoint);
        return (majorVersion >= "6");
    return false;
function JS2VBArray( objJSArray )
    var dictionary = new ActiveXObject( "Scripting.Dictionary" );
    for ( var i = 0; i < objJSArray.length; i++ )
        dictionary.add( i, objJSArray[ i ] );
    return dictionary.Items();
1 Solution
I've never run into this issue before, but from my reading of the KB article, here's what you do:
  1. There's no need to adapt the script.  You just need to run it once on your Win2008 computer
  2. Create a .js file containing the code in the KB using Notepad.  Here's how:
    -open Notepad
    -copy everything from the code window on the KB page (highlight, then Ctrl-C)
    -paste it into your Notepad window
    -File > Save in Notepad.  Make sure your file has js extension, so use a double quote around your save file name, say "upgrade.js".
  3. Run the script file your created.  Locate the js file your just created and double click it.  There'll be several notification dialog boxes during the run, just click OK to get through them.  If all goes OK, it'd eventually say "Done!".
  4. You should be problem free!
Edmund_KAuthor Commented:
I get the "Done" message afer running the .js script. As there was no error message shown during the processing, does it mean the prblem fixed.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now