Advancing Productivity and Operational Efficiency through Cloud Services and Apps


January 2009

Retrieve the IUSR (Anonymous) password using the IIS Resource Kit Metabase Explorer

Just recently, while troubleshooting an 401 Unauthorized error on an FBA site in SharePoint, I discovered that someone accidentally changed the password of the IUSR account (IIS Anonymous User) on one the IIS Web Sites.

The error in the browser was “HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials.” I’ve blogged about this sort of error before, and there can be many culprits. But having gone over the scenarios I know of that might cause this with no luck, I decided to look at the Event Viewer Security logs.

I quickly discovered a series of Failure Audits with event IDs 680, 529, 539. Event ID 529 was the one that caught my attention:

Logon Failure:
     Reason:        Unknown user name or bad password
     User Name:    IUSR_…

The problem was very apparent; there was an issue with the credentials being supplied by the IUSR account. I tested with another number of sites non of which generated the error, so it was definitely isolated to this particular web application (IIS Web Site). I verified the User Account and it was fine, so it had to be the password. I searched the web for a way to retrieve the IUSR account password and everything seemed to indicate that I should use the adsutil.vbs script (which works well, just remember to change “IsSecureProperty = True” with “IsSecureProperty = False“.) But I also saw a comment referencing the “Metabase Explorer”; very cool.. something that would let me browse through the IIS Metabase.

I downloaded and installed the IIS Resource Kit and used it to retrieve the password of the IUSR account (IIS Anonymous User.)

After installing the IIS Resource Kit, follow these steps to retrieve the IUSR password using the Metabase Explorer:

  1. Open the IIS Metabase Explorer by going to Start > All Programs > IIS Resources > Metabase Explorer > Metabase Explorer
  2. Go to the “View” menu and click on “Secured Data”  (this will make sure the password is not displayed as asterisks) and Inherited Data (this will display any data that the web site is inheriting from the default)


  3. Expand the W3SVC Branch
  4. Expand the Branch of an IIS site that is running anonymous access

    Note: To determine the ID of the IIS Site; select the “Web Sites” node in IIS and look for the Identifier column in the right pane.

  5. Select the “Root” node and look for the AnonymousUserPass property in the right pane.

Stopping and Restarting WSS 3.0 and Microsoft Office SharePoint 2007 (MOSS)

There isn’t much information out there on the subject (at least not much that I’ve been able to find, and/or consider reliable.) The following steps describe my preferred approach to stop Windows SharePoint Services 3.0 and Microsoft Office SharePoint 2007 (MOSS) in most typical farm environments. It is based on Microsoft’s recommended approach for moving SharePoint related databases.

  1. Shut Down the World Wide Web Publishing Service in the front-end servers to prevent any users from accessing content. You may want to consider Quiescing the farm.
  2. In the Services snap-in on the server(s) running Central Administration, stop the following services:

    Microsoft Single Sign-On service (MOSS only)

    Office Document Conversions Launcher service  (MOSS only)

    Office Document Conversions Load Balancer service (MOSS only)

    Office SharePoint Server Search service (MOSS only)

    Windows SharePoint Services Administration service

    Windows SharePoint Services Search service

    Windows SharePoint Services Timer service

    Windows SharePoint Services Tracing service

    Windows SharePoint Services VSS Writer service

  3. On the server(s) running Central Administration, stop Internet Information Services by opening the command prompt and running iisreset /stop

If restarting the farm, restart the Server Running Central Administration first followed by any application servers and finally the web front end servers.

Please note that the approach may vary from farm to farm based on how its configured, for example: if the Central Administration server is also an application server or front end server, if there are any third party tools or services running on the server, or if the Shared Service Provider is being consumed by any other farms.


Move all databases (Windows SharePoint Services 3.0)
Move all databases (Office SharePoint Server 2007)

Create a free website or blog at

Up ↑

%d bloggers like this: