You cannot resolve built-in IIS accounts after you install AD DS on a Windows Server 2008-based or later-version-based server that is running IIS


Consider the following scenario:
  • You have a server that is running Windows Server 2008 or a later version.
  • The server is running Internet Information Services (IIS).
  • You install Active Directory Domain Services (AD DS) to set the server as a domain controller of a Windows 2000-based or Windows Server 2003-based domain. 
  • The PDC Emulator operations master role (also known as flexible single master operations or FSMO) is not located on the Windows Server 2008-level or higher-level domain controller.

In this scenario, you cannot resolve the built-in IIS accounts, such as the IIS_IUSRS group and the IUSR guest user account. You can see only the raw security identifier (SID) of the built-in IIS accounts.

Note This problem does not occur if the following conditions are true:
  • You set the Windows Server-based or later-version-based server as a domain controller. 
  • The PDC emulator operations master role is running on the Windows 2000-based or Windows Server 2003-based domain controller.


This problem occurs because the IIS built-in accounts such as IUSR and IIS_IUSRS do not exist in earlier domains, such as Windows 2000-based and Windows Server 2003-based domains. When the server that is running IIS is set as a Windows 2000-based or Windows Server 2003-based domain controller and the PDC emulator operations master role is running on one of these domain controllers, the accounts for Windows Server 2008 or later versions cannot be resolved. 


To resolve this problem, save the following script as a JScript (.js) file, and then run the following command: 
cscript.exe KB946139.js
Note You must restart the server after you run this script.
/* SamUpgradeTask.js (c) 2007, Microsoft Corp. */ // Check the version of the operating system. Stop the script if the version is earlier than 6. if ( ! CheckOSVersion() ) { WScript.Echo("ERROR: This script will only work on Longhorn Server or above."); WScript.Quit(1); } // Retrieve the local computer's rootDSE LDAP object. var localRootDse = null; try { localRootDse = GetObject("LDAP://localhost/rootDSE"); } catch(e) { WScript.Echo("There was an error attempting to retrieve the localhost RootDSE object."); WScript.Echo("Perhaps this machine is not a Domain Controller on the network?"); WScript.Echo("ErrorCode: " + e.number); WScript.Quit(1); } // Retrieve several rootDSE properties var dnsHostName = localRootDse.Get("dnsHostName"); var dsServiceName = localRootDse.Get("dsServiceName"); var defaultNamingContext = localRootDse.Get("defaultNamingContext"); // Open the default naming context var ncObj = GetObject("LDAP://" + defaultNamingContext); // Get the "FSMO Role Owner" var strfsmoNtdsa = ncObj.FsmoRoleOwner; var fsmoNtdsaObj = GetObject("LDAP://" + strfsmoNtdsa); // Get the parent object of "FSMO Role Owner" var fsmoServerObj = GetObject(fsmoNtdsaObj.Parent); // By using the Server Reference, retrieve the name of the PDC computer var strFsmoComputer = fsmoServerObj.ServerReference; var fsmoComputerObj = GetObject("LDAP://" + strFsmoComputer); var pdcName = fsmoComputerObj.Get("name"); // Get the RootDSE object for the PDC var pdcRootDse = GetObject("LDAP://" + pdcName + "/rootDSE"); // Check whether the PDC is a legacy domain or not. var domainControllerFunctionality = pdcRootDse.Get("domainControllerFunctionality"); if ( domainControllerFunctionality > 2 ) { WScript.Echo("Domain is already operating in a mode higher than Windows Server 2003 mode. Stopping script execution."); WScript.Quit(0); } // Get the default naming context for the PDC var pdcDefaultNamingContext = pdcRootDse.Get("defaultNamingContext"); // Retrieve the well known object from the PDC var pdcSystem = GetObject("LDAP://" + pdcName + "/<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD," + pdcDefaultNamingContext + ">"); // Get the distinguished name for the well known object var pdcDistinguishedName = pdcSystem.Get("distinguishedName"); // Check whether the task has already been run var taskMarker = null; try { taskMarker = GetObject("LDAP://" + pdcName + "/<WKGUID=6ACDD74F3F314ae396F62BBE6B2DB961,CN=Server," + pdcDistinguishedName + ">"); } catch(e) { if ( e.number == -2147016656 ) // Check and see if error code is ERROR_DS_NO_SUCH_OBJECT { taskMarker = null; } else { WScript.Echo("Error attempting to retrieve well known object from PDC."); WScript.Echo("Name: " + + "\nDescription: " + e.description + "\nCode: " + e.number + "\nMessage: " + e.message); WScript.Quit(1); } } // If the well known object exists, the SAM upgrade is already running. Therefore, stop the script. if ( taskMarker != null ) { WScript.Echo("SAM upgrade task already being run. No work done."); WScript.Quit(1); } // Get the Server container with that distinguished name var serverObj = GetObject("LDAP://" + pdcName + "/CN=Server," + pdcDistinguishedName); // Prepare a safe array (for example, VBArray) with one entry var jsArray = new Array(1); jsArray[0] = "B:32:6ACDD74F3F314ae396F62BBE6B2DB961:"+ dsServiceName; var vbArray = JS2VBArray(jsArray); try { // Append an entry to the "Other-Well-Known-Objects" attribute for the // previous server object. serverObj.PutEx(3, "otherWellKnownObjects", vbArray); serverObj.SetInfo(); } catch(e) { WScript.Echo("Unexpected error attempting to put the well known GUID."); WScript.Echo("ErrorCode: " + e.number); } WScript.Echo("Running upgrade task."); // Set the "runSamUpgradeTasks" attribute in the local rootDSE localRootDse.Put("runSamUpgradeTasks", 1); localRootDse.SetInfo(); // Remote the binary data from the previous well known object entry serverObj.PutEx(4, "otherWellKnownObjects", vbArray); serverObj.SetInfo(); // The upgrade is complete. WScript.Echo("Done!"); function CheckOSVersion() { var wbemFlagReturnImmediately = 0x10; var wbemFlagForwardOnly = 0x20; var objWMIService = GetObject("winmgmts:\\\\.\\root\\CIMV2"); var colItems = objWMIService.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL", wbemFlagReturnImmediately | wbemFlagForwardOnly); var enumItems = new Enumerator(colItems); for (; !enumItems.atEnd(); enumItems.moveNext()) { var objItem = enumItems.item(); var fullVersion = objItem.Version; var indexPoint = fullVersion.indexOf("."); if ( indexPoint == -1 ) { return false; } var majorVersion = fullVersion.substring(0, indexPoint); return (majorVersion >= "6"); } return false; } function JS2VBArray( objJSArray ) { var dictionary = new ActiveXObject( "Scripting.Dictionary" ); for ( var i = 0; i < objJSArray.length; i++ ) { dictionary.add( i, objJSArray[ i ] ); } return dictionary.Items(); }


This behavior is by design.


Article ID: 946139 - Last Review: Apr 28, 2014 - Revision: 1