« Previous Next »

• 11-27-2007, 4:29 PM

  Switche Joined on 11-26-2007, 8:46 PM Posts 9

  IUSR Built-in Account Associated with Users Group? Reply Contact From my understanding, the default anonymous user for IIS is now named "NT AUTHORITY\IUSR", is now a built-in Windows account, and thusly can no longer be managed as a normal Windows user could. I found that there is some kind of unlisted association of this account with the "Users" Windows group. For example, if I keep default Anonymous Authentication as "IUSR" for a new Web site, the Web site can be accessed with no file system security changes. I guessed that this access was associated with the "Users" Windows group based on the ACL of the home directory, and wanted to test that theory. The "Users" group does not contain the "NT AUTHORITY\IUSR" built-in account in the members collection, and temporarily removing all users from the group's members collection still allows access. However, if I temporarily remove "Users" entirely from the ACL of the Web site home directory itself, I receive a "401 - Unauthorized" error. This suggests some permanent, built-in association of "IUSR" account to the "Users" group. Can someone explain this association to me, and explain in further detail what the "IUSR" account has access to, and if/how this access can be changed?

• 11-27-2007, 4:51 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343	Re: IUSR Built-in Account Associated with Users Group? Reply Contact By default, "BUILTIN\Users" contains "NT Authority\Authenticated Users" and all tokens (except null session token) contain "NT Authority\Authenticated Users" - this is how giving access to BUILTIN\Users gives access to "NT Authority\IUSR" Anil Ruia Senior Software Design Engineer IIS Core Server

• 11-27-2007, 7:30 PM

  In reply to

  Switche Joined on 11-26-2007, 8:46 PM Posts 9	Re: IUSR Built-in Account Associated with Users Group? Reply Contact Thanks for your reply, anilr.  If this is the case, why does removing the "NT Authority\Authenticated Users" from "BUILTIN\Users" group not produce the same 401 error as removing the "BUILTIN\Users" group from the Web site home directory's ACL?

• 11-27-2007, 7:47 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343	Re: IUSR Built-in Account Associated with Users Group? Reply Contact You would have to restart IIS (iisreset or net stop was /y & net start w3svc) to get a new token since the cached token would still reflect the old group memberships. Anil Ruia Senior Software Design Engineer IIS Core Server

• 11-29-2007, 3:06 PM

  In reply to

  Switche Joined on 11-26-2007, 8:46 PM Posts 9

  Re: IUSR Built-in Account Associated with Users Group? Reply Contact I verified all my settings were still in place, then performed an iisreset. After ther reset, I was indeed receiving the same 401 error denying access. I verified this in a new browser process as well. I re-added "NT Authority\Authenticated Users" back to the Users group and iisreset again, but I was still being denied access.  I performed a few more iisreset's and test hits to the site in confusion, and suddenly I was receiving a generic "page not found" error. I checked IIS and my test Web site was gone. applicationHost.config had no entries pertaining to the site. I rebooted the machine, re-created the Web site from scratch, including a new physical home directory, and performed these tests again from step 1.  Now I'm not able to reproduce the behavior you mentioned. I am granted access to the site even after removing "NT Authority\Authenticated Users" from the Users group and performing an iisreset. Removing the Users group from the home directory ACL still denies access without an iisreset, and can be undone also without an iisreset. I verified the authentication is still anonymous/"IUSR" on the site. Any ideas what's going on?

• 12-07-2007, 7:16 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343	Re: IUSR Built-in Account Associated with Users Group? Reply Contact Hmm, seems like IUSR token is always member of Users group (even when authenticated users is removed from users group) - maybe something to do with the fact that it is a builtin account with service logon - investigating this more. Anil Ruia Senior Software Design Engineer IIS Core Server

• 08-29-2008, 12:32 PM

  In reply to

  kazutsugu Joined on 11-21-2006, 7:01 AM Posts 17	Re: IUSR Built-in Account Associated with Users Group? Reply Contact Hi, I want to remove the "NT Authority\Authenticated Users" group from the local Users group. I did, and exactly as you explain, I get 401 error. Is there a workaround? I mean a way to run ASP, and ASPX without having the "NT Authority\Authenticated Users" group in the local Users group? Thanks a lot in advance, Kazu