HOWTO: Synchronize User Credentials in IIS



I recently had to modify a domain administrator account on my system and as a result parts of my web site are no longer operational.  I keep getting a 401.1 error whenever my web pages attempt to execute a Perl script that dynamically builds web pages.  Regular HTML pages execute with no problem.

I’ve checked the error logs and the perl scripts POST entries show a “401 1 0 “.

I’ve re-installed PERL on the server and gave the language permissions to execute.  I’ve run the scripts manually at the DOS prompt, and they execute.

I believe that the domain account password is not synchronized the account in IIS.  Is there a way I can force the synchronization to occur?

Any help would be GREATLY appreciated.


Ok, let me first get over the security shock of you configuring the domain administrator to be the anonymous user that ANY user account can wield to run Perl. You basically have a gun pointed to your head and you might as well pull the trigger now… 😉 but let’s ignore that outrage for the moment and get back to your question…

Yes, it is likely that the cached username/password in IIS configuration is no longer in sync with reality. However, there is no way to “force” the synchronization to occur for two reasons:

  1. Your custom user account is not “owned” by IIS, so there is no way for IIS to just change its password.
  2. There is no way to recover the password given just a username. That would be a security vulnerability.

In other words, you should find the cached username/password in IIS configuration and hand-synchronize it yourself. There are a couple of ways to do this:

  1. cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs FIND AnonymousUserPass
  2. Within the IIS Manager UI, navigate to the “Websites” or “Global” node, right click properties and navigate to the security node to change the anonymous username/password. When you change this value and OK out of the dialog box, the UI will pop up another dialog box telling you all other nodes which have Anonymous username/password custom configured.

These methods all come back with a list of locations where the Anonymous User password is customized. All you need to do is check if the associated Anonymous user name is your Domain Administrator and if so, synchronize that password.

I suspect that your vdir containing the Perl scripts has a customized Anonymous user account (so they are affected), while the directory containing your HTML pages do not have such customizations.


C:\Inetpub\adminscripts>cscript adsutil.vbs FIND AnonymousUserName
Property AnonymousUserName found at:

C:\Inetpub\adminscripts>cscript adsutil.vbs GET W3SVC/AnonymousUserName

C:\Inetpub\adminscripts>cscript adsutil.vbs GET W3SVC/1/Root/AnonymousUserName
AnonymousUserName : (STRING) “Administrator”

C:\Inetpub\adminscripts>cscript adsutil.vbs SET W3SVC/1/Root/AnonymousUserPass NewPass

I found that AnonymousUserName was customized at two locations in my IIS configuration. The first one was not set to Administrator so I do not care about it; the second one was set to Administrator so I changed its password to synchronize with reality.

Script to Selectively Synchronize IIS User Accounts

Of course, all of this is scriptable with a little “glue” code since all the basic build blocks are already there. I have an example batch script at the end of this entry which does exactly that. You can copy it into a file named “SyncIISUser.bat” and call:

SyncIISUser.bat Anonymous “Administrator” “New Password”

This command searches the local IIS configuration for all Anonymous user accounts named “Administrator” (the quotes are required, even for user names without spaces) and changes their cached password to “New Password” (the quotes are not considered part of the password).

The script currently has a safety-lock in that it ECHOs what it will do. You can inspect the output to see if it is OK and then copy/paste the commands yourself, or you can remove SET DEBUG=ECHO to have the script take action.

I always recommend backing up IIS configuration file prior to making such automated changes so that you can recover in the worst case scenario, and I cannot take any responsibility for whether the script works or not. It should work, but you should remember that all blog content is published “as-is with no warranties, and confers no rights.” 🙂



@IF ?%_ECHO%?==?? ECHO OFF
SET CMD_ADSUTIL=CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs

IF ?%1? EQU ?? GOTO :Help
IF ?%2? EQU ?? GOTO :Help

IF /I ?%1? EQU ?Anonymous? SET PROPERTY_TO_FIND=AnonymousUserName& SET PROPERTY_TO_CHANGE=AnonymousUserPass


FOR /F “usebackq skip=1 tokens=*” %%I IN ( `%CMD_ADSUTIL% FIND %PROPERTY_TO_FIND%` ) DO (
FOR /F “usebackq tokens=3,* delims= ” %%J IN ( `%CMD_ADSUTIL% GET “%%I/%PROPERTY_TO_FIND%”` ) DO (



REM Display syntax
ECHO %~n0 {Anonymous^|WAM^|UNC} “UserName” [Password]
ECHO Find all [Anonymous^|WAM^|UNC] user accounts matching “UserName” in
ECHO IIS configuration and change its password to [Password]

Comments (12)

  1. Jeff says:

    Thanks a zillion for the instructions. I have been looking over two weeks for the solution to my anonymous login problem and finally I found it here. Great blog!

  2. David Wang says:


    Hi ,

    I have two web servers. One web server(w2k3Ent) and IIS 6.0 in a work group and One…

  3. Tony says:

    Thank you David.  This solution worked very well for me.  I appreciate the time you take to upload these solutions to your blog.

  4. Brad says:

    Just wanted to add my "Thank you!" along with everyone else. I spent an entire day trying to figure out why my C# sharp program was passing a blank value to AD for UserName. Then came across your articles on 401.1 errors and synching the annonymous user credentials. That did the trick!

  5. Zafer Gurel says:

    Thanks for the article. It was very useful in recovering our IIS metabase. We used IIS Metabase Explorer to restore our IIS from old backups. But we couldn’t run asp files, we got Server Application Error all the time.

    We realized that IIS Metabase Explorer exported the ex-username (IUSR_XXX) but with the installation of the operating system, the IUSR account name had been changed (let’s say IUSR_YYYY).

    When we ran "cscript adsutil.vbs GET W3SVC/AnonymousUserName", we got IUSR_XXX. We changed the Identity of IIS Out of Process Com+ application to IUSR_XXX and tried to run asp files but nothing happened.

    Then  we changed the default IIS anonymous username to IUSR_YYYY and it worked. The following command saved our lives 🙂 :

    cscript adsutil.vbs SET W3SVC/AnonymousUserName "IUSR_YYYY (here your IUSR account name comes)"

    That was not in your article and I wanted to share it with the readers of this article who may face the same problem. That solution was not written elsewhere.

  6. William says:

    Thank you for the URL. However, I’m still having trouble with an IIS 401.1 error (invalid user credentials) with anonymous access enabled. My test page is a simple .htm file with no application processing. I’ve checked the following:

    1) NTFS permissions are set to allow anonymous read/execute access

    2) The passwords in the IIS metbase are synced

    3) The anonymous user has appropriate policy permissions (browse from the network, etc.)

    Any ideas? Thanks in advance

  7. Ray Blair says:

    In your notes you wrote:

    Within the IIS Manager UI, navigate to the "Websites" or "Global" node, right click properties and navigate to the security node to change the anonymous username/password. When you change this value and OK out of the dialog box, the UI will pop up another dialog box telling you all other nodes which have Anonymous username/password custom configured.

    As I have very little knowledge of this, what you mean is to go into that tab and actually change the password that is in the password box., correct? Will that cause the existing site that works to quit working because we changed that password?

    Sorry, I have no clue.


  8. David.Wang says:

    Ray – it can cause an existing site to stop working, or it may cause it to keep working.

    I would caution that you do NOT change any of the other nodes that hav ecustom anoynmous username/passwords custom configured. UNLESS you know those nodes also use the same username/password.

    If you do not know, then do not select any of them in the followon popup.

    The logic should be clear – if you do not know what you are changing, don’t change it. If you do know what you are changing to synchronize, then by all means change it.


  9. David.Wang says:

    William – For static files, if you selected Anonymous Authentication and the user account is synchronized in the metabase, then the remaining suspect is user permissions modified by Group Policy. Default settings work. If you have tweaked with them, then it may not work.


  10. Jason says:

    I am having problems with my non-domain servers that are trying to connect to my WSUS 3.0 server.  My servers that are in the domain work fine.  The ones that are having issues are getting 401.1 errors, even though Anonymous is enabled.  I think it could be an IUSR_Machine name password issue.  I have read this post and when I run the script I only have one entry for Anonymous, it’s W3SVC.  When I get the user name it does not come back as "Administrator".  It come back with the IUSR_Machinename.  Should I still update the password or do I have another issue?

  11. Jason says:

    I found something that I think will help.  When a server is trying to use the IUSR_Machinename to logon Anonymous, the IUSR_Machinename is getting locked out.  Has to be password issue.  Please check my previous post.  Thanks!

  12. David.Wang says:

    Jason – I recommend reading this blog entries on how to troubleshoot 401.1.