Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

You cannot resolve built-in IIS accounts after you install AD DS on a Windows Server 2008-based or later-version-based server that is running IIS

View products that this article applies to.


Consider the following scenario:
  • You have a server that is running Windows Server 2008 or a later version.
  • The server is running Internet Information Services (IIS).
  • You install Active Directory Domain Services (AD DS) to set the server as a domain controller of a Windows 2000-based or Windows Server 2003-based domain. 
  • The PDC Emulator operations master role (also known as flexible single master operations or FSMO) is not located on the Windows Server 2008-level or higher-level domain controller.

In this scenario, you cannot resolve the built-in IIS accounts, such as the IIS_IUSRS group and the IUSR guest user account. You can see only the raw security identifier (SID) of the built-in IIS accounts.

Note This problem does not occur if the following conditions are true:
  • You set the Windows Server-based or later-version-based server as a domain controller. 
  • The PDC emulator operations master role is running on the Windows 2000-based or Windows Server 2003-based domain controller.

↑ Back to the top


This problem occurs because the IIS built-in accounts such as IUSR and IIS_IUSRS do not exist in earlier domains, such as Windows 2000-based and Windows Server 2003-based domains. When the server that is running IIS is set as a Windows 2000-based or Windows Server 2003-based domain controller and the PDC emulator operations master role is running on one of these domain controllers, the accounts for Windows Server 2008 or later versions cannot be resolved. 

↑ Back to the top


To resolve this problem, save the following script as a JScript (.js) file, and then run the following command: 
cscript.exe KB946139.js
Note You must restart the server after you run this script.
/* SamUpgradeTask.js (c) 2007, Microsoft Corp. */ // Check the version of the operating system. Stop the script if the version is earlier than 6. if ( ! CheckOSVersion() ) { WScript.Echo("ERROR: This script will only work on Longhorn Server or above."); WScript.Quit(1); } // Retrieve the local computer's rootDSE LDAP object. var localRootDse = null; try { localRootDse = GetObject("LDAP://localhost/rootDSE"); } catch(e) { WScript.Echo("There was an error attempting to retrieve the localhost RootDSE object."); WScript.Echo("Perhaps this machine is not a Domain Controller on the network?"); WScript.Echo("ErrorCode: " + e.number); WScript.Quit(1); } // Retrieve several rootDSE properties var dnsHostName = localRootDse.Get("dnsHostName"); var dsServiceName = localRootDse.Get("dsServiceName"); var defaultNamingContext = localRootDse.Get("defaultNamingContext"); // Open the default naming context var ncObj = GetObject("LDAP://" + defaultNamingContext); // Get the "FSMO Role Owner" var strfsmoNtdsa = ncObj.FsmoRoleOwner; var fsmoNtdsaObj = GetObject("LDAP://" + strfsmoNtdsa); // Get the parent object of "FSMO Role Owner" var fsmoServerObj = GetObject(fsmoNtdsaObj.Parent); // By using the Server Reference, retrieve the name of the PDC computer var strFsmoComputer = fsmoServerObj.ServerReference; var fsmoComputerObj = GetObject("LDAP://" + strFsmoComputer); var pdcName = fsmoComputerObj.Get("name"); // Get the RootDSE object for the PDC var pdcRootDse = GetObject("LDAP://" + pdcName + "/rootDSE"); // Check whether the PDC is a legacy domain or not. var domainControllerFunctionality = pdcRootDse.Get("domainControllerFunctionality"); if ( domainControllerFunctionality > 2 ) { WScript.Echo("Domain is already operating in a mode higher than Windows Server 2003 mode. Stopping script execution."); WScript.Quit(0); } // Get the default naming context for the PDC var pdcDefaultNamingContext = pdcRootDse.Get("defaultNamingContext"); // Retrieve the well known object from the PDC var pdcSystem = GetObject("LDAP://" + pdcName + "/<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD," + pdcDefaultNamingContext + ">"); // Get the distinguished name for the well known object var pdcDistinguishedName = pdcSystem.Get("distinguishedName"); // Check whether the task has already been run var taskMarker = null; try { taskMarker = GetObject("LDAP://" + pdcName + "/<WKGUID=6ACDD74F3F314ae396F62BBE6B2DB961,CN=Server," + pdcDistinguishedName + ">"); } catch(e) { if ( e.number == -2147016656 ) // Check and see if error code is ERROR_DS_NO_SUCH_OBJECT { taskMarker = null; } else { WScript.Echo("Error attempting to retrieve well known object from PDC."); WScript.Echo("Name: " + + "\nDescription: " + e.description + "\nCode: " + e.number + "\nMessage: " + e.message); WScript.Quit(1); } } // If the well known object exists, the SAM upgrade is already running. Therefore, stop the script. if ( taskMarker != null ) { WScript.Echo("SAM upgrade task already being run. No work done."); WScript.Quit(1); } // Get the Server container with that distinguished name var serverObj = GetObject("LDAP://" + pdcName + "/CN=Server," + pdcDistinguishedName); // Prepare a safe array (for example, VBArray) with one entry var jsArray = new Array(1); jsArray[0] = "B:32:6ACDD74F3F314ae396F62BBE6B2DB961:"+ dsServiceName; var vbArray = JS2VBArray(jsArray); try { // Append an entry to the "Other-Well-Known-Objects" attribute for the // previous server object. serverObj.PutEx(3, "otherWellKnownObjects", vbArray); serverObj.SetInfo(); } catch(e) { WScript.Echo("Unexpected error attempting to put the well known GUID."); WScript.Echo("ErrorCode: " + e.number); } WScript.Echo("Running upgrade task."); // Set the "runSamUpgradeTasks" attribute in the local rootDSE localRootDse.Put("runSamUpgradeTasks", 1); localRootDse.SetInfo(); // Remote the binary data from the previous well known object entry serverObj.PutEx(4, "otherWellKnownObjects", vbArray); serverObj.SetInfo(); // The upgrade is complete. WScript.Echo("Done!"); function CheckOSVersion() { var wbemFlagReturnImmediately = 0x10; var wbemFlagForwardOnly = 0x20; var objWMIService = GetObject("winmgmts:\\\\.\\root\\CIMV2"); var colItems = objWMIService.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL", wbemFlagReturnImmediately | wbemFlagForwardOnly); var enumItems = new Enumerator(colItems); for (; !enumItems.atEnd(); enumItems.moveNext()) { var objItem = enumItems.item(); var fullVersion = objItem.Version; var indexPoint = fullVersion.indexOf("."); if ( indexPoint == -1 ) { return false; } var majorVersion = fullVersion.substring(0, indexPoint); return (majorVersion >= "6"); } return false; } function JS2VBArray( objJSArray ) { var dictionary = new ActiveXObject( "Scripting.Dictionary" ); for ( var i = 0; i < objJSArray.length; i++ ) { dictionary.add( i, objJSArray[ i ] ); } return dictionary.Items(); }

↑ Back to the top


This behavior is by design.

↑ Back to the top

Keywords: kbtshoot, kbexpertiseinter, kbprb, kb

↑ Back to the top

Article Info
Article ID : 946139
Revision : 3
Created on : 4/17/2018
Published on : 4/18/2018
Exists online : False
Views : 327