IIS_IUSRS lost after promoting to DC on Windows 2008

 

In IIS7, the built-in group, IIS_IUSRS, has been granted access all the necessary file and system resources. After installing IIS7 in Windows 2008, it can be seen under the Computer Management\ System Tools\ Local User and Groups\Groups.

Assume that you promote the Windows Server 2008 server that is running IIS7.0 to Windows Server 2003 based domain.

Symptoms

 

IIS_IUSRS disappeared in Active Directory Users and Computers.

Environment

 

IIS7, Windows Server 2008, Windows 2003-based Domain

Root Cause

 

You cannot resolve the built-in IIS accounts after you set a Windows Server 2008-based server that is running IIS 7.0 as a domain controller

https://support.microsoft.com/kb/946139

The IIS 7.0 built-in accounts specification for Windows Server 2008 does not exist in earlier domains, such as Windows 2000-based domains and Windows Server 2003-based domains. When the IIS 7.0 server is set as a Windows 2000-based domain controller or a Windows Server 2003-based domain controller, the Windows Server 2008 accounts cannot be resolved.

Solution

1. Run the script using “cscript SamUpgradeTask.js” in KB946139

2. Reboot the machine.

Regards,

Anik Shen