IUSR_<machine_name> Default Group Membership

From: Richard Bellamy (rbellamy@XMLSWEB.COM)
Date: 11/10/01

Message-ID:  <005b01c1699c$40d9ba30$671dd7cf@xmlsweb.com>
Date:         Fri, 9 Nov 2001 20:00:36 -0800
From: Richard Bellamy <rbellamy@XMLSWEB.COM>
Subject:      IUSR_<machine_name> Default Group Membership

When Windows 2000 first came out, I attempted, through Restricted Groups
membership, and GPO's, to lock down my member servers in a way I thought
appropriate. When the GPO was applied, it slowly disabled the ability
for my IIS servers to function. come to find out, I had restricted
membership to the Users Local group, and by removing the INTERACTIVE,
and Authenticate Users I caused IIS to fail to load Objects in a
Server.CreateObject call.

I've been looking everywhere for an explanation of the Default Group
membership of the IUSR account in an install of IIS 5.0.

1. Domain Controller:
        A. Domain Users
        B. Guests

2. Member Server:
        A. Guests

However, within the member server, the Local\Users group has the
following membership:
        A. NT AUTHORITY\Authenticated Users
        C. DOMAIN\Domain Users

So. if I'm not mistaken, this then means that the IUSR_<machine_name>
account which is installed on a Domain Controller then has normal users
rights on a member server, because it is technically an "Authenticated
User". Maybe I'm missing something here. perhaps I don't understand the
ramifications of the membership of the Domain-level IUSR account
belonging to the Guests group, as well as the Domain Users group.

My question is: Why does IIS require that IUSR belong to the Domain
Users group when installed on a Domain Controller?

G. Richard Bellamy
Office: 707-887-1830
"Welcome to Open Fire"

Delivery co-sponsored by Trend Micro, Inc.
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:

Relevant Pages

  • How to validate "Domain Admin" user?
    ... membership in "Domain Admin" group. ... member server as "LocalSystem". ... Environment is Windows 2000 AD domian. ... a non-english env or if "Domain Admin" group was renamed ...
  • Re: Group membership slow to update on member server?
    ... Did the user logout and logon? ... A user's group membership is cached in the ... I have ISA server on a member server. ...
  • Re: Slow group creation
    ... Membership Caching enabled, the group cache for the account on the ... authenticating domain controller is immediately populated. ... catalog server must be contacted for the logon to proceed. ... they are using the remote DC, it could be a replication delay. ...
  • Pros & Cons...
    ... I'm not very experianced in IIS and was looking for some ... a user perspective (logging on from internet). ... Domain Controller then there's no need no put a domain ... member server, or in a different forest etc??? ...
  • Re: Group Membership Problem
    ... >>> Domain C does not show updated membership info from A, ... >> DCs must be first upgraded to Win2003 prior to upgrading any child domains. ... >> role in the forest root domain must be done first, ... The primary domain controller of the forest root domain so that the ...