Re: IWAM Out of sync

From: Brjann Brekkan (
Date: 10/30/02

From: "Brjann Brekkan" <>
Date: Wed, 30 Oct 2002 23:15:45 +0100

Not sure if it is mentioned in any of the links below but after you set the
IWAM password, shouldn´t we run the SYNCIWAM.Vbs script from Adminscripts

I think I did this the last time: Change Password on account, change
password on components that run with IWAM, restart service, run script.
I've got my notes at work
Brjann Brekkan
"Karl Levinson [x y] mvp" <> wrote in message
> I assume you're logged in as administrator when you run these commands. I
> also assume you're synching the password in the Metabase with the password
> on the IWAM account in the Windows user database.
> I would probably enable file and registry access failure auditing for all
> the folders and drives on your system, to see what is going on in the
> Windows security event log. I would also try the ADSUTIL.VBS command as
> described below to get the IWAM password and try setting it. If you get
> error and you are logged in as an administrator, you could try
> and reinstalling IIS, and/or you could search for the error message you
> received at or
> or
> I'd also be curious to know whether the problem also happens when you
> the application isolation setting to Low.
> [There may also be other information or things to try in the links below]
> ============
> I'm having a problem with the IUSR_computername or IWAM_computername
> on my computer or IIS web server, or the account keeps getting locked out.
> A: IIS may be using the IWAM_computername account instead of the
> IUSR_computername account when executing web page scripts. If so, there
> be a problem with insufficient permissions or incorrect password on the
> account, especially if you assigned permissions to the IUSR account
> of the IWAM account.
> Use the IIS MMC to look at the "Application Isolation" properties of the
> folder containing the troubled script files. IIS runs application scripts
> using the IWAM account if the "Application Isolation" setting for the
> or the folder containing the script is set to "Medium" or "High."
> [If your web page scripts start working after changing this setting to
> "Low," then you have probably confirmed that you have a problem with the
> IWAM account as described below. If changing this setting does not fix
> problem, then the rest of this article may not apply to you and you should
> consider doing general .ASP troubleshooting using the link below instead:
>;en-us;Q309051 ]
> Like the IUSR account, a copy of the IWAM account password is stored in
> IIS metabase, so that IIS can log on as the IWAM account. IIS cannot log
> as IWAM and/or IUSR if the password in the IIS metabase does not match the
> actual password for that user ID in the Windows security database.
> The ADSUTIL.VBS command can be used to retrieve or change the IWAM and/or
> IUSR ID and/or password stored in the IIS metabase. For example, you may
> need to use the command "ADSUTIL GET" to get the IWAM password from the
> metabase, then use the Windows 2000 / XP / .NET Local Users and Groups MMC
> to change the password on the IWAM account to match.
> More information on using the ADSUTIL.VBS command can be found in the
> articles below:
> If you have deleted or created a new login ID to be used instead of the
> existing IWAM or IUSR account, you may need to grant the new account
> permission to "Log on Locally." See the article below for more
> If an application script or web page on your IIS web server is unable to
> accessing files on another remote computer, you may need to determine
> login ID is being used by the IIS web server to run the script, and set up
> an identical login ID and password for that account on the remote computer
> [or in some cases, the Windows domain]. See the article below for more
> information:
> ============
> Info on enabling auditing:
> =============
> Note that to enable logging of access to files or registry settings, you
> must both enable logging in the overall computer policy AND also add
> auditing settings on individual folders or registry keys in the NTFS
> security properties in Windows Explorer or the REGEDT32 registry editor.
> [Using REGEDIT will not work.] To log file access, the files must be on
> NTFS-formatted partition.
> Note also that to enable logging of security events on a Windows domain,
> must change the auditing policy on all domain controllers. Changing the
> auditing policy on the computers in the domain enables logging of failed
> logins to the computers using local accounts and would not necessarily log
> attempts to log into the domain.
> Consider changing the Windows event log settings to be appropriate for
> environment. Consider increasing the maximum log size to retain more
> information. Be careful not to log too much, or you might find that your
> logs contain only a few minutes or hours worth of data. Finally, check
> logs to be sure logs are really being captured.
> For more information on enabling and configuring auditing, see the
> below:
> a.k.a.
> [look for the NSA Security Recommendation Guides for Windows 2000 and
> also Group Policy]
> 13w2kadc.asp
>;en-us;Q310399 - XP
>;en-us;Q300549 - 2000
>;en-us;Q248260 - 2000
>;en-us;Q301640 - 2000,
> access settings
>;en-us;Q300958 - 2000,
> monitoring for unauthorized user access
>;en-us;Q157238 - NT
> [Thanks to Thomas Deml and others]
> ===================
> What are the minimum or default NTFS file permissions required for IIS,
> and/or how can I restore them?
> How should I configure secure NTFS file permissions to secure my web site
> content?
> A: More information is available in the following articles:
> How to set secure NTFS Permissions on IIS directories and log files -
> Minimum NTFS file permissions required for IIS:
> ============
> "Guillermo Calderon" <> wrote in message
> news:071101c28009$9f1bdea0$37ef2ecf@TKMSFTNGXA13...
> I removed my web server from a domain and included it in a
> workgroup.
> I changed the default IUSR_ and IWAM_ for new accounts, I
> gave them all the security rights needed.
> Now I'm getting errors like "Unable to start a DCOM
> Server" and "Access is denied. " related with Out-Of-
> Process applications and IWAM account when I tried to load
> a default page in the Default Web Site (Isolation Medium
> Pooled). The error in Iexplorer is "Server Application
> Error".
> I tried to apply TechNet articles (in order to sync
> account information in METABASE, SAM and COM+) but It
> wasn´t succesful.
> When I tried to modify the information about the old IWAM
> account in "Component Services" I got an error related to
> wrong domain; if I run synciwam.vbs from the command line
> I got errors too.
> I'm using Anonymous authentication.
> Please help me
> Guillermo