IIS

How to get the IUSR and IWAM user account passwords on a Microsoft IIS server

on

IIS uses the IUSR_servername guest account to allow anonymous access to websites hosted on the server.  You can always change this to a different account or even change the password for this account yourself.  But sometimes you might be in a situation where you can’t or don’t want to change the password but need to know what password Windows has set for it when you installed IIS.

Here’s how the IUSR account works by the way:

1. User types in http://www.yoursite.com

2. IIS gets the page request, imitates the IUSR_servername account, then executes/accesses the webpage located in your home directory using this account.  It checks NTFS permissions and such during this time as well.  Please note that the IUSR account has the “Log on Locally” permission by default to accomplish all this.

3. If everything goes well, authentication is completed and the requested page is sent back to the user’s browser.  If something doesn’t go well, such as anonymous access is disabled or NTFS permissions to your root directory don’t included the IUSR account, the user will typically get an “HTTP 403 Access Denied” error message.

Anyhow, you can find the IUSR account password without having to reset it by using the Adsutil.vbs tool.  Open up command prompt and navigate to C:\Inetpub\AdminScripts.  Then type:

cscript.exe adsutil.vbs get w3svc/anonymoususerpass

or

cscript.exe adsutil.vbs get w3svc/wamuserpass

to display the IUSR and IWAM account passwords respectively.  You will notice that the passwords are just a bunch of asterisks.  To make them cleartext, navigate to C:\Inetpub\AdminScripts and edit Adsutil.vbs in Notepad.  Find this line:

IsSecureProperty = True

and change it to:

IsSecureProperty = False

Now run the script commands above again and you will see the passwords in clear text.  Make sure to put Adsutil.vbs back to the way it was because it’s not best practice in my opinion to leave your tool with clear text enabled.

Please note that with IIS 7, this has all changed:

1. The IUSR built-in account replaces the IUSR_Servername and IWAM_Servername accounts.  It also no longer has a password since it is a local service account and not a user account so this blog post does not apply to IIS 7 at all.

2. The IIS_IUSRS built-in group replaces the IIS_WPG group (worker process group)

About Jason Samuel

Jason Samuel lives in Houston, TX with a primary focus on strategic advisory and architecture of end-user computing, security, enterprise mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and networking over his 20+ year career in IT. He is an Author, Speaker, and Local User Group Community Leader. He is certified in several technologies and is 1 of 63 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 42 people in the world that has been awarded as a VMware EUC Champion and VMware vExpert. He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with. Disclaimer: The content and opinions expressed in articles and posts are his own and are by no means associated with his employer.

Recommended for you

4 Comments

  1. Christoph Wegener

    August 22, 2011 at 5:25 AM

    That’s a really good one! I didn’t know about this.
    Bookmarked! 🙂

  2. Pingback: How to get the IUSR and IWAM user account passwords on an IIS server · Etdot.com

  3. Al

    July 12, 2014 at 2:39 PM

    Thanks for the info.

    I know this is an old post, but for me the encrypted password is 10 characters long. When I use this trick to find the password it gives me a string that is 14 characters long.

    Is that like a microsoft thing, that the encrypted passwords show 10 asterisks rather than the real amount for security’s sake?

  4. farchi

    September 6, 2016 at 2:43 AM

    Thanks a lot!

Leave a Reply

Your email address will not be published.