Why you get Access Denied despite being an Administrator or enabled Anonymous Access in IIS

A couple of common misconception by users concerning IIS configuration and user privileges are that:

  1. If I am logged in as Administrator, everything should work and I should never see "Access Denied"
  2. If I enabled anonymous access in IIS, everything should work and I should never see "Access Denied"

Why are the above statements not true? They sure sound logical - after all, administrator should have full access to the system, right? And anonymous access is supposed to allow anyone access to the server, so it should never fail.

Administrator can be denied access

The fact of the matter is that while yes, Administrators have "full access" to the system and can change anything, Windows also treats Administrators just like any other user. This includes the ability to deny an user access to any ACL-protected resource explicitly or implicitly through lack of ACL.

So, it is perfectly possible to set a deny ACL or remove an allow ACL on a resource and prevent Administrators from initially accessing the resource. However, Administrators have a special power - the ability to CHANGE any ACL, including give themselves access to something previously denied access. Thus, while it is possible to have an Administrator see "Access Denied", it is not likely to last for long.

Regarding the identity of the user accessing the resource - when an Administrator makes a client-server connection like HTTP, the identity with which server-side code runs is completely unrelated from the identity that runs the browser making the HTTP request. It all depends on the authentication methods accepted by the web server as well as the user credentials negotiated between the web browser and web server.

In other words, the local Administrator can make a request in a web browser to run a CGI EXE on the web server, but the web server can use any identity to launch the CGI EXE server-side. The choice of identity can be influenced by authentication.

Anonymous does not allow access

As for enabling anonymous authentication in IIS - this merely tells IIS to automatically log in with a pre-configured user identity to execute the request, regardless of authentication attempted. There is no special Windows account that magically passes access checks and has access to everything.

In fact, the user identity used for anonymous access can be the target of allow/deny ACLs, just like any other Windows user, so it is still possible to see "Access Denied" when you have anonymous authentication enabled. You have to make sure that you have the correct user password AND the configured anonymous user identity actually has ACLs to the requested resource in order to allow anonymous authentication a chance to work. Otherwise, you still get 401 access denied and browsers will keep popping up the login dialog box no matter what you give (however, this is only one possible way to get into that state - there are others).

I hope this helps to demystify two common IIS misconceptions.


Comments (67)

  1. Tony Warren says:

    I’ve added the account used for anonymous authentication to the administrators group and I still get the error.

    THAT should have fixed it.

  2. David.Wang says:

    There are many types of "access denied":

    401.1 – incorrect username/password

    401.2 – incorrect authentication protocol

    401.3 – lack ACL on resource

    401.4 – denied by ISAPI Filter for some reason

    401.5 – denied by application for some reason

    Until you determine the type of "401 access denied", random changes will not help.

    For example, adding anonymous user to the administrators group ASSUMES that the problem is 401.3 – that you are anonymous authenticated and that the anonymous user lacks ACL on the resource. However, if this is not the 401 error, or if administrators group is denied or lacks ACLs on the resource (as mentioned above), then you will STILL have access denied.

    In other words, adding anonymous user to the administrators group makes very little sense. There is no sure-fire way to never see access-denied. You need to use the IIS log file to determine WHY you are getting access denied and then address that.


  3. Rex says:

    I have got an interesting problem, I have a web site that uses Integrated Windows Authentication to determine the user. If I browse to the site from my desktop, I enter my user name and password, and get access to the site, however, when I browse to the web site from the server that it is hosted on, I get Unauthorized: Access is denied due to invalid credentials (using the same username and password). Enhanced security is not enabled, and I have disabled and enabled the proxy settings, as well as add the site to the trusted sites list. Any other ideas?

  4. Greg Muir says:

    I’m getting a 401.1 error. The weird thing is that everything was working just ducky last week. This server is intended for intranet use as well as distributing Crystal Reports via the crystal .net interface.

    The only thing I can think of that’s changed since Friday is the default name of the site. I’m going to check that one out, maybe permissions are still granted for the old name.

  5. Zach Li says:

    I am also getting a access denied. My error is 401.3 Does anyone has any idea of overcoming the problem?

  6. mark glanville says:

    THANK YOU!!! you just saved me hours of playing with settings… ta!

  7. Ben says:

    Hello David,

    I have played around with permissions but I still can’t get our website to work without having to logon with a username / password.

    Our test site required a username / password but our Default Website is working perfectly via a browser.

    Default Website:

    http://localhost/v3/home.asp -> no username / password required

    Test Site:

    http://test.ourdomain.com -> username / password required

    Please help.


  8. Ben says:

    Test Site:

    http://test.ourdomain.com -> username / password required

    It asks for a username / password but I can just click "Enter", it disappears and everything works. Please help.


  9. Ben says:

    I have another server set up using anonymous access and both the Default Website http://localhost/v3/home.asp and the Test Site http://test.ourdomain.com work.

    I think the problem is that this server has two IUSR_MACHINENAME accounts since I changed the MACHINENAME sometime ago. I removed and re-installed IIS, but the two IUSR_MACHINENAME accounts still exist. How can I fix this?



  10. Christopher King says:

    thanks for the reminder and clarification around this; was exactly what I was looking for 🙂

  11. Ganeshs says:

    i am having problem in uploadignn file to a server…..

    its shows "405 HTTP verb used to access this page is not allowed".

    Please help me to figure this….

  12. David.Wang says:

    Ganeshs – I suggest searching for the common solution to your issue.

    You are most likely either:

    1. uploading the file to a URL that is considered "static file" by IIS (i.e. does not run code). Obviously, POSTing to a page that does not execute code won’t upload the file, so a 405 is returned.

    2. uploading the file to a URL which resolves to a default document (i.e. http://localhost/vdir or http://localhost/vdir/ ). Behavior is by-design.


  13. David.Wang says:

    It’s another 10K entry!


  14. David Wang says:

    Sigh… security continues to befuddle users… because why would you change the Service User Account from…

  15. Zoran says:

    It’s good stuff, but no one seems to have had my problem…  🙁  I can’t start my WWW service on this server with exchange to access OWA.

  16. David.Wang says:

    Zoran – I suggest looking at the list of troubleshooting links I have on the sidebar of my blog and helping yourself. Starting with this one:


    In general, you do not want nor need to look for someone else’s solution for their problem which seems SIMILAR to your problem. Pattern-matching is a dangerous way to solve problems. You want to independently diagnose your problem (that’s what my troubleshooting links are for), and once you know the cause, resolve it directly.

    In other words, there are millions of ways that WWW service won’t start on a machine, with or without Exchange/OWA. Looking for other people’s solution is like looking for a needle in a haystack, and if their situation is not exactly like yours, you have no idea whether their "solution" applies.

    Instead, simply diagnose why WWW service won’t start. When you run on the commandline:


    What do you get? And if there is an error, what are logged in the Event Logs for System and Application?


  17. David Wang says:


    Hi ,

    I have two web servers. One web server(w2k3Ent) and IIS 6.0 in a work group and One…

  18. Deepankur Kukreja says:

    I am facing an issue with my IIS 6.0, when i click on browse through my IIS Manager console onto my Default Web Site, my IUSR account is also added to the list of my Administrators group and the password has been set for that. Also the option of Enbale Anonymous Access in checked and so is the option of Integreted Windows Authentication.

    Please help.

  19. Deepankur Kukreja says:

    Forgot to mention that the error is same ACCESS DENIED 🙁

  20. David.Wang says:

    Deepankur – I suggest diagnosing your issue by reading:


    The way to deal with a 401 Access Denied is to first determine the sub-status of 401 from the log file, then consider the common causes listed in the blog entry. The blog entry is not exhaustive – it is just to get you thinking about possibilities.

    As I explained earlier in this blog entry, just because IUSR is in Administrators, or enabling Anonymous Access does NOT mean you will never see Access Denied when browsing, no matter if it is through the IIS Manager console or through a web browser.

    For example, in your situation, if the configured anonymous user is locked out or denied logon on this server, you will definitely see "Access Denied" no matter what you change – Anonymous access is enabled so IIS always tries to logon the anonymous user, which if locked out or denied logon, will always fail REGARDLESS if it is in the Administrators group, thus always resulting in 401 Access Denied no matter if using IIS Manager console or web browser.

    This is also why I suggest reading this blog entry for following a sound methodology for troubleshooting IIS:


    Also, see the sidebar on my blog website for additional "Favorites" blog entries that users read.


  21. David Wang says:

    Sigh… security is never black and white, is it? :-) 


    Environment: IIS6.0 Windows 2003…

  22. omri swissa says:

    i’m working with Office server and Project 2007 (beta 2). i’m trying to access the PSI (Project web services).

    when i’m trying to browes the site i get 401.3 but when i use IE i can see the site. why?

  23. David.Wang says:

    omri – Since you have installed non-IIS software on top of IIS which can alter server behavior, the reason for any behavior is arbitrary and determined by server-modifications made by the Office server product.

    My guess is that it is using customized forms authentication which IE will negotiate, but other HTTP clients/browsing will not do correctly after passing anonymous authentication – hence 401.3. But it is just a guess – one needs to know an debug the server configuration to figure out what is going on.


  24. John says:

    I have an ASP (not ASP.NET) application installed in Vista (Build : 5384). This application is  using a C++ COM DLL. The ASP application is unable to access the C++ COM DLL. It is giving an error. When I open the Security Event Log, I can see this

    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID


    to the user DOMAINUSER SID (S-1-5-21-1412128295-2049115561-7473742-1796) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

    I followed the steps given in the KB article (http://support.microsoft.com/?kbid=899965). Still I am getting the same problem.

    Can anyone give me some suggestions regarding the above said problem.


  25. Phil says:

    I worked yesterday and opend two new projects. I turned off the computer in the night and today i can’t open them because of:

    HTTP/1.1 403 Access Forbidden

    I tried to change all folder permissions.

    Even if I try to make a new project in the C:Inetpubwwwroot folder it says Access Forbidden

    I have IIS 5.1 and 6. It’s seems to run with 6 but the LogFiles say 5.1

    Don’t know what to do anymore… sitting here for hours!

    Does anyone have the same problem?

    Thx a lot,


  26. Thomas says:

    Please remove the anonymous access and try again it works.


  27. Al C says:

    I have anonymous access enabled for a web site in IIS.  If I try to go to the web site, I get challenged for a user name and password.  If I enter an administrator username and password for the server, it lets me it to the web site.  If I cancel, I get a 401.3 error.  When I check the log, the entry says that it rejected user serverName$ (where serverName is the name of my server).  I added the IUSR_serverName account to the ACL for the directory, but apparently that is not the user accessing the directory.  After reading all of these posts, it seems like I am close.  Any ideas?

  28. Darren says:

    I have a similar problem on SBS Premium and Standard 2003 where all users were configured during the setup using the wizards etc. Inside my LAN I can access the OWA as the different users but from the net only the Administrator can get in. I tried with users set up as administrators but this does not work.

    Any help would be appreciated

  29. wmelvin@admerexgroup.com says:

    I am having an odd situation that I hope someone can help with. I get a 401.3 error whenever I attempt to click on a link pointing to a .DOC file.  If I point to an .HTM file in the same directory the file is displayed.  Also the site is running over SSL.  Anonymous access is enabled and using IUSR…  

    On one of my ASP.NET pages I have an ASP:Table that I populate at runtime with several peices of information.  One of the things that I add to the table is a Link control to link to a word document in a particular directory under my virtual directories root.  

    (physical directory structure)





    ———————>images (directory containing the images for the site)

    ———————>arcletters (directory containing the .DOC files)

    ———————>bin (directory containing dlls, etc)



    bla bla bla….

    Based on your previous suggestions I downloaded FileMon and saw that it is indeed the IUSR user that is being denied access to the arcletters directory.  When I click on the link mentioned above I get a new windows with the 401.3 error.  If I run the same code from my local machine I get a prompt asking if I would like to save the document (which is the desired functionallity).

    My question is, do you have any suggestions for me and is there a difference between opening a .DOC file and an .HTM file via a link?  Also I forgot to mention that I have given IUSR full control of the arcletters directory with no improvment.



  30. Ed says:

    I have been fighting to get things set up for Interdev debugging on Windows XP SP2 with IIS and Front Page Extensions 2002 for DAYS to no avail. I am so frustrated and cannot for the life of me figure this out.

    I get prompted for username/password when I try to either launch interdev’s debugger or when I try to check server extensions from the IIS control panel.

    I have added full control permissions on all the folders to Everyone.

    When I try to check server extensions I am prompted for:

    enter  the username and password for user "" on http://machinename

    When I try to run debugger in Interdev I am prompted similiarly for a username and password for a user account with permissions to debug.

    My own user account has full permissions on all folders and is a member of Administrators.

    My user account does not have a password associated with it and never has.

    The http error I get is a 401.1

  31. Garima says:

    Hi,I am running Project Server 2003 with win server 2003.I am able to access the projectserver bt if i try to connect the client with the server with the same username and password is giving error of http 401.1-unauthorised access.wht to do im stuck with this problem for the last 2 days.Please help me.


  32. David.Wang says:

    William – there is no difference to IIS between a DOC and HTM file. They are both static files served for download by default. You *may* be running 3rd party ISAPIs on the server that result in different behavior between different file extensions.


  33. David.Wang says:

    Ed – by default, XP simply does not allow network login of user accounts with blank passwords. You may be hitting that in some fashion – no amount of giving ACLs to Everyone will help if Windows is not even allowing the user to login (401.1).

    You will have to configure XP to allow such logins of accounts with blank passwords, but I wouldn’t do it in your case since you are running as administrator with no password.


  34. Prithwish says:

    I have enabled Anonymous Access in IIS. But for its not eve asking for any id password, rather its directly showing access denied error. http://www.eorangecountyrealestate.com/ http://www.ilongbeachrealestate.com/ for both of this option it says "You are not authorized to view this page". Can any one help regarding this issue? p.biswas@yahoo.com

  35. Lorie says:

    I apologize for asking a question that may have already been answered. I’m not familiar with changing settings. I just begun learning ASP and knowing what IIS does and everything was working fine until I installed .net framework and it created this administrator password and I have no clue where to change these setttings.

    It makes me not want to do mess with the whole deal, but I don’t want this situation to keep me from learning.

    I’ve tried reading these links and articles but it all going over my head. Please, if anyone has found a way to change these settings so it allows me to access my IIS again, please point me in the right direction.

    Thanks a mil!


  36. David.Wang says:

    Prithwish – Enabling anonymous access in IIS does NOT mean you will not get Access Denied. Please start with the "401 Diagnosis Guide" link on the sidebar of this blog to start troubleshooting your misconfiguration.


  37. Robert Mack says:

    I get "You have been denied access to this machine" when I try to administer IIS in the snap-in console. I am logged in as domain admin. I also get "Cannot find server or DNS Error" when I try to access web pages on the machine. This is a Win XP Professional workstation  (SP2) on which everything has been working perfectly for a couple of years, including a couple of web apps I developed in VS. When I do a NET START, the system reports that the service has started. When I open the Windows Firewall config in Control panel and click the Advanced tab I see a message that says the "Network Connection Settings have become corrupted." It suggests clicking the Restore Defaults button, but when I tried that, nothing happened. I tried installing authdiag, but when I run the MSI file, I get a message saying that the Windows Installer Service could not be accessed, although when I try to re-install the Windows Installer, I am told that it is already installed.

    The only thing I have done is re-register the machine on my development network (one Win 2000 server and 2 workstations – Win 2K and XP).

    Any ideas? I am at a total loss.

  38. Robert Mack says:

    OK. I fixed the problem myself by using Windows XP System Restore. This feature is a bloody godsend and I didn’t even know it existed! My whole development server with a number of revenue-generating projects had gone kaput. I was in panic mode.

    Looked at the system logs to see when the error messages started coming – I still can’t figure out what happened – and restored to the first point previous to that. I guess the machine got corrupted somehow. No viruses or worms present, so must have been some sort of system glitch.

    Thank you Microsoft!

  39. Sanjay Mishra says:

    Dear All

    I have win2k3 with IIS 6.0. Every Morning I get 401.1 Error. The Directory security has been set to Anonymous Access, Once I give IISReset everything starts working again for for few hours and again it stops

  40. Nathan says:

    I have Windows 2000 and everytime I log in as an Administrator and try to install new hardware or anything, it says "You do not have sufficient security privileges to install or uninstall devices on this computer. Please contact your site administrator, or log off and log on again as an administrator and try again." Naturally, I have tried many times to no avail. I even made two other accounts allowing Admin. access and yet both of those also don’t allow me to install new hardware. I don’t seem to have any administrator access anymore but all the profiles are listed as having administrator access. Am I missing something? What is the problem here?

  41. tarriin says:


    In case of ISAPI filters for your IIS. Giving IUSER ACL will not help on win2k3.

    U need to give execute permission to cmd.exe on the box.

    This will do the job.

  42. David.Wang says:

    Nathan – your problem sounds like it is related to Group Security Policy in Windows and not IIS.

    There are security policies within Group Policy that prevent users from altering hardware configuration (to lock down against people plugging in USB memory sticks, for example), regardless if you are an "Administrator" or not. See the following:


    I think you want to investigate in this direction.


  43. David.Wang says:

    tarlin – thanks for the advice, but it is really not correct.

    See these blog entris for the explanation:



    ISAPI Filters run as process identity by default, not IUSR, so changing ACLs do not help.

    Furthermore, cmd.exe is locked against access by non-interactive or non-administrators by default, so execution permission does not really matter.


  44. Lorna Mayes says:

    I have just brought a Laptop with Vista Business when I first set it up I could view the sidebar now when I log on I get a message saying the system administrator controls the sidebar and I cannot view or make changes to the sidebar.


    Can you help with this  problem



  46. JG says:

    Hi..last day when I was loggd in as administrator, i changed the C drive security settings to denied unknowingly :-(. Now I am getting all the time C drive as "Access denied"…I am unable to see any option to change the security settings now..please help me..thanks!

  47. David.Wang says:

    JG – take that hard drive out and put it in another machine you have successful Administrator access, and reset ACLs there.

    Personally, I would not trust your ACLs on that drive to be secure after recovery, but that’s another issue.


  48. JG says:

    Thanks  a lot david for reply. But I am having laptop with VISTA as OS. I am less aware of the hardware stuffs. I am planning to format the OS itself. Will that over come this problem?..Please suggest me a proper way. looking forward for ur reply. Thanks!

  49. Angie says:

    I have been getting things from a E mails from a particular place and every time that I try to look at or read them I get a thing on my computer that says access denied.

  50. Angie says:

    I have been getting things from a E mails from a particular place and every time that I try to look at or read them I get a thing on my computer that says access denied.

  51. Ken Schall says:

    Hi David,

    You’re probably getting sick of postings on this thread, and I apologize for posting another.

    We have a Win2K3 server running IIS 6.  One of the virtual directories has anonymous authentication set (all other authentication modes are disabled).  The host anonymous account works on other applicable virtual directories on the server.  Recently, some users at one site started getting prompts for a user ID and password when accessing the site in question.  It is in their trusted/Intranet sites in IE settings and the authentication on the client is set to use the current credentials to authenticate.  We have cleared their cache and cookies to see if it was being caught from previous security settings (default settings of anonymous and Windows authentication – the latter has been turned off).

    I have double checked the ACL list on the folder for the virtual directory and the anonymous account has read permissions to the folder.  This has started since the removal of the Windows authentication on the virtual directory.  It also doesn’t do it all the time.  It will work for a time, then all of a sudden prompts for a user ID and password.

    Any ideas?  Thanks in advance.

  52. David.Wang says:

    Ken – look at the IIS log entries when users see the user ID/password prompts. If it is 401, use this blog entry to diagnose.


    If it doesn’t match the patterns in there, them my suspcion would be Group Policy (if the machine is in a domain) that may be periodically sweeping through the machine and affecting the configured Anonymous user account for the virtual directory in question.

    I would wager that it happened after you remove Windows Authentication because earlier, if anonymous authentication failed, IE would auto-login with the user’s domain credentials and likely succeed, thus covering up the fragility of Anonymous user credential.

    And since IIS caches the anonymous user token by default and filesystem ACLs are unlikely to change over the period of time in question, fluctuating behavior most likely come from external sources.

    And the most random external source of fluctuation is Global Policy that change user permissions, privileges, group membership, etc.


  53. Raymond says:

    Thanks for the info. However, if it is not too much trouble, could you also explain ***HOW*** I could change an ACL???

  54. macac says:

    I have the solution 🙂 run out and buy yourself a mac, widows is a piece of crap, always has been and always will be.

  55. David.Wang says:

    macac – Sorry, Macs are no better. Apple will never tell the truth about the constant patching and mislabeling of security patches as "performance enhancements".

    Mac users delude themselves into thinking it is better (after all, they just paid a bundle for it — they’d feel like a sucker otherwise)! Apple is more than happy to say anything to keep users thinking that way.

    Will you be like Neo and wake up from the dreamy Matrix? Or will you be Cipher and rat out your friends?


  56. Sorry, but if I’m logged as administrator I can change the owner and the objetcts permissios to get effective access to all objects.

    I’m try to change the owner and the permissions to have full control to these objects and the windows return "access us denied"  at "Advanced Security Settings for [object]".

    What’s happen with this system ?

    When I was OpenVMS System Manager this situation was impossible! The System Manager was the Machine King.


  57. David.Wang says:

    Walter Ferrari Veras – if on Vista/WS08/Win7, then you have UAC active and need to elevate your action, which grants those permissions to your interactive user to use on that action. When non-elevated, the administrator cannot change ownership even if it is a privilege the user holds.

    This security system gives good compromise to allow people to have access (under user permission) to all sensitive administrative privileges but NOT have them freely available by default for malware to attack the user.

    The outdated approach of OpenVMS where Administrator is machine king is still there if you turn off UAC, but that option is for the knowledgeable.


  58. Qureshi says:

    Sir, my website is on godaddy with IIS6, i am getting access denied error when i upload the images using back office, what is the problem, in IIS setting only 3 previliegs are there

    First i have enter the directory name and there are 3 option Anonomious Access, Directory Browsing, …….

    Please tell me what i do, so remove this error.

    its too urgent

    i m waiting 4 ur reply

  59. Qureshi says:

    Sir, my website is on godaddy with IIS6, i am getting access denied error when i upload the images using back office, what is the problem, in IIS setting only 3 previliegs are there

    First i have enter the directory name and there are 3 option Anonymous Access, Directory Browsing, …….

    Please tell me what i do, so remove this error.

    its too urgent

    i m waiting 4 ur reply

  60. Anasthase Kajugiro says:

    I do not want to be denied access when I need continue working on my computer. I need to have access to all that I want to see.

  61. Anasthase Kajugiro says:

    open up whatever I need to see and use on my computer.

  62. Bob says:

    using XP Pro – New board with SATA HD – copied some folders to cd/rw.

    After copy – removed most files & folders; but some would not allow removal (Access Denied).

    Subsequent writes include the folders and files I cant remove.

    That’s a big problem.

    Anyone have any suggestions?

    Please contact via emal (I am slow reader and blogs take me hours to read) – bob6238@gmail.com


  63. David K says:

    I have an intranet site that, for some reason, when first loading gets a 401.1 error.

    Hit refresh and it comes up just fine. This is more of a nuisance than anything else but I just trying to figure out why it would only happen at first and then work.

    Thank you in advance.

  64. Philip Dahlin says:

    What do I need to set in IIS7 so that I can run a .exe. For example, how would I launch


    I can get Notepad.exe to execute on a win2000 server with IIS5 but not on a Win2008 server with IIS7.

  65. Philip Dahlin says:

    What do I need to set in IIS7 so that I can run a .exe. For example, how would I launch


    I can get Notepad.exe to execute on a win2000 server with IIS5 but not on a Win2008 server with IIS7.

Skip to main content