How to get the IUSR and IWAM user account passwords on a Microsoft IIS server
If you need the IUSR or IWAM password without resetting it, Adsutil.vbs in C:\Inetpub\AdminScripts will retrieve it for you. Quick and non-disruptive.
IIS uses the IUSR_servername guest account to allow anonymous access to websites hosted on the server. You can always change this to a different account or even change the password for this account yourself. But sometimes you might be in a situation where you can't or don't want to change the password but need to know what password Windows has set for it when you installed IIS.
Here's how the IUSR account works by the way:
-
User types in http://www.yoursite.com
-
IIS gets the page request, imitates the IUSR_servername account, then executes/accesses the webpage located in your home directory using this account. It checks NTFS permissions and such during this time as well. Please note that the IUSR account has the "Log on Locally" permission by default to accomplish all this.
-
If everything goes well, authentication is completed and the requested page is sent back to the user's browser. If something doesn't go well, such as anonymous access is disabled or NTFS permissions to your root directory don't included the IUSR account, the user will typically get an "HTTP 403 Access Denied" error message.
Anyhow, you can find the IUSR account password without having to reset it by using the Adsutil.vbs tool. Open up command prompt and navigate to C:\Inetpub\AdminScripts. Then type:
cscript.exe adsutil.vbs get w3svc/anonymoususerpass
or
cscript.exe adsutil.vbs get w3svc/wamuserpass
to display the IUSR and IWAM account passwords respectively. You will notice that the passwords are just a bunch of asterisks. To make them cleartext, navigate to C:\Inetpub\AdminScripts and edit Adsutil.vbs in Notepad. Find this line:
IsSecureProperty = True
and change it to:
IsSecureProperty = False
Now run the script commands above again and you will see the passwords in clear text. Make sure to put Adsutil.vbs back to the way it was because it's not best practice in my opinion to leave your tool with clear text enabled.
Please note that with IIS 7, this has all changed:
-
The IUSR built-in account replaces the IUSR_Servername and IWAM_Servername accounts. It also no longer has a password since it is a local service account and not a user account so this blog post does not apply to IIS 7 at all.
-
The IIS_IUSRS built-in group replaces the IIS_WPG group (worker process group)
Jason Samuel
Product leader, advisor, and international speaker with 27+ years in enterprise end-user computing, security, and cloud. Has deployed infrastructure at Fortune 500 scale across 34 countries. 1 of 3 people globally to hold Citrix CTP + VMware vExpert + VMware EUC Champion concurrently. 200+ articles, 1,000+ reader discussions.
Previous Comments (3)
Using Microsoft LogParser to create a report of who has been hitting a web page or URL
Need to know who's been hitting a specific URL? LogParser queries your IIS W3C logs and gives you every IP in chronological order. Then you can export unique IPs for identification.
iisUsing the DATAGRID output option in Microsoft LogParser to see error 500 IIS issues
LogParser's DATAGRID output gives you IIS error 500 results and page load times in a readable GUI window. No CSV exports needed. Instant visual output.
iisA quick way to troubleshoot SSL chain issues using OpenSSL
If you're troubleshooting SSL chain issues, the OpenSSL s_client command tells you exactly what's wrong in seconds. Here's the command and how to read the output.