IIS uses the IUSR_servername guest account to allow anonymous access to websites hosted on the server. You can always change this to a different account or even change the password for this account yourself. But sometimes you might be in a situation where you can’t or don’t want to change the password but need to know what password Windows has set for it when you installed IIS.
Here’s how the IUSR account works by the way:
1. User types in http://www.yoursite.com
2. IIS gets the page request, imitates the IUSR_servername account, then executes/accesses the webpage located in your home directory using this account. It checks NTFS permissions and such during this time as well. Please note that the IUSR account has the “Log on Locally” permission by default to accomplish all this.
3. If everything goes well, authentication is completed and the requested page is sent back to the user’s browser. If something doesn’t go well, such as anonymous access is disabled or NTFS permissions to your root directory don’t included the IUSR account, the user will typically get an “HTTP 403 Access Denied” error message.
Anyhow, you can find the IUSR account password without having to reset it by using the Adsutil.vbs tool. Open up command prompt and navigate to C:\Inetpub\AdminScripts. Then type:
cscript.exe adsutil.vbs get w3svc/anonymoususerpass
or
cscript.exe adsutil.vbs get w3svc/wamuserpass
to display the IUSR and IWAM account passwords respectively. You will notice that the passwords are just a bunch of asterisks. To make them cleartext, navigate to C:\Inetpub\AdminScripts and edit Adsutil.vbs in Notepad. Find this line:
IsSecureProperty = True
and change it to:
IsSecureProperty = False
Now run the script commands above again and you will see the passwords in clear text. Make sure to put Adsutil.vbs back to the way it was because it’s not best practice in my opinion to leave your tool with clear text enabled.
Please note that with IIS 7, this has all changed:
1. The IUSR built-in account replaces the IUSR_Servername and IWAM_Servername accounts. It also no longer has a password since it is a local service account and not a user account so this blog post does not apply to IIS 7 at all.
2. The IIS_IUSRS built-in group replaces the IIS_WPG group (worker process group)
Jason Samuel is a visionary product leader and trusted advisor with a proven track record of shaping strategy and driving technology innovation. With extensive expertise in enterprise end-user computing, security, cloud, automation, and virtualization technologies, Jason has become a globally recognized authority in the IT industry. His career spans consulting for hundreds of Fortune 500 enterprises across diverse business sectors worldwide, delivering cutting-edge digital solutions from Citrix, Microsoft, VMware, Amazon, Google, and NVIDIA that seamlessly balance security with exceptional user experiences.
Jason’s leadership is amplified by his dedication to knowledge-sharing as an author, speaker, podcaster, and mentor within the global IT and technology community. Recognized with numerous prestigious awards, Jason’s contributions underscore his commitment to advancing technology and empowering organizations to achieve transformative results. Follow him on LinkedIn.
Christoph Wegener
August 22, 2011 at 5:25 AM
That’s a really good one! I didn’t know about this.
Bookmarked! 🙂
Pingback: How to get the IUSR and IWAM user account passwords on an IIS server · Etdot.com
Al
July 12, 2014 at 2:39 PM
Thanks for the info.
I know this is an old post, but for me the encrypted password is 10 characters long. When I use this trick to find the password it gives me a string that is 14 characters long.
Is that like a microsoft thing, that the encrypted passwords show 10 asterisks rather than the real amount for security’s sake?
farchi
September 6, 2016 at 2:43 AM
Thanks a lot!