IIS

How to get the IUSR and IWAM user account passwords on a Microsoft IIS server

IIS uses the IUSR_servername guest account to allow anonymous access to websites hosted on the server.  You can always change this to a different account or even change the password for this account yourself.  But sometimes you might be in a situation where you can’t or don’t want to change the password but need to know what password Windows has set for it when you installed IIS.

Here’s how the IUSR account works by the way:

1. User types in http://www.yoursite.com

2. IIS gets the page request, imitates the IUSR_servername account, then executes/accesses the webpage located in your home directory using this account.  It checks NTFS permissions and such during this time as well.  Please note that the IUSR account has the “Log on Locally” permission by default to accomplish all this.

3. If everything goes well, authentication is completed and the requested page is sent back to the user’s browser.  If something doesn’t go well, such as anonymous access is disabled or NTFS permissions to your root directory don’t included the IUSR account, the user will typically get an “HTTP 403 Access Denied” error message.

Anyhow, you can find the IUSR account password without having to reset it by using the Adsutil.vbs tool.  Open up command prompt and navigate to C:\Inetpub\AdminScripts.  Then type:

cscript.exe adsutil.vbs get w3svc/anonymoususerpass

or

cscript.exe adsutil.vbs get w3svc/wamuserpass

to display the IUSR and IWAM account passwords respectively.  You will notice that the passwords are just a bunch of asterisks.  To make them cleartext, navigate to C:\Inetpub\AdminScripts and edit Adsutil.vbs in Notepad.  Find this line:

IsSecureProperty = True

and change it to:

IsSecureProperty = False

Now run the script commands above again and you will see the passwords in clear text.  Make sure to put Adsutil.vbs back to the way it was because it’s not best practice in my opinion to leave your tool with clear text enabled.

Please note that with IIS 7, this has all changed:

1. The IUSR built-in account replaces the IUSR_Servername and IWAM_Servername accounts.  It also no longer has a password since it is a local service account and not a user account so this blog post does not apply to IIS 7 at all.

2. The IIS_IUSRS built-in group replaces the IIS_WPG group (worker process group)

4 Comments

  1. Christoph Wegener

    August 22, 2011 at 5:25 AM

    That’s a really good one! I didn’t know about this.
    Bookmarked! 🙂

  2. Pingback: How to get the IUSR and IWAM user account passwords on an IIS server · Etdot.com

  3. Al

    July 12, 2014 at 2:39 PM

    Thanks for the info.

    I know this is an old post, but for me the encrypted password is 10 characters long. When I use this trick to find the password it gives me a string that is 14 characters long.

    Is that like a microsoft thing, that the encrypted passwords show 10 asterisks rather than the real amount for security’s sake?

  4. farchi

    September 6, 2016 at 2:43 AM

    Thanks a lot!

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Cloud Design Architecture

The community-driven paperback book initiated by my friends Bas van Kaam and Christiaan Brinkhoff is available for sale on Amazon. If you haven’t picked...

JasonSamuel.com began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023 JasonSamuel.com

Exit mobile version