IIS uses the IUSR_servername guest account to allow anonymous access to websites hosted on the server. You can always change this to a different account or even change the password for this account yourself. But sometimes you might be in a situation where you can’t or don’t want to change the password but need to know what password Windows has set for it when you installed IIS.
Here’s how the IUSR account works by the way:
1. User types in http://www.yoursite.com
2. IIS gets the page request, imitates the IUSR_servername account, then executes/accesses the webpage located in your home directory using this account. It checks NTFS permissions and such during this time as well. Please note that the IUSR account has the “Log on Locally” permission by default to accomplish all this.
3. If everything goes well, authentication is completed and the requested page is sent back to the user’s browser. If something doesn’t go well, such as anonymous access is disabled or NTFS permissions to your root directory don’t included the IUSR account, the user will typically get an “HTTP 403 Access Denied” error message.
Anyhow, you can find the IUSR account password without having to reset it by using the Adsutil.vbs tool. Open up command prompt and navigate to C:\Inetpub\AdminScripts. Then type:
cscript.exe adsutil.vbs get w3svc/anonymoususerpass
cscript.exe adsutil.vbs get w3svc/wamuserpass
to display the IUSR and IWAM account passwords respectively. You will notice that the passwords are just a bunch of asterisks. To make them cleartext, navigate to C:\Inetpub\AdminScripts and edit Adsutil.vbs in Notepad. Find this line:
IsSecureProperty = True
and change it to:
IsSecureProperty = False
Now run the script commands above again and you will see the passwords in clear text. Make sure to put Adsutil.vbs back to the way it was because it’s not best practice in my opinion to leave your tool with clear text enabled.
Please note that with IIS 7, this has all changed:
1. The IUSR built-in account replaces the IUSR_Servername and IWAM_Servername accounts. It also no longer has a password since it is a local service account and not a user account so this blog post does not apply to IIS 7 at all.
2. The IIS_IUSRS built-in group replaces the IIS_WPG group (worker process group)