Discussion:
Change password for IUSR account
(too old to reply)
dni
2007-05-30 21:28:02 UTC
Permalink
When we have an IT Audit we get flagged for domain user has no required
password. The accounts are IUSR_servername that were created by WSUS. Can
these passwords be changed without messing up WSUS and if so where and how.
Thanks.
Lawrence Garvin (MVP)
2007-05-30 22:31:35 UTC
Permalink
Post by dni
When we have an IT Audit we get flagged for domain user has no required
password. The accounts are IUSR_servername that were created by WSUS.
The IUSR_servername *should* have a password, and this account is *not*
created by WSUS, it's created by the installation of Internet Information
Services.

You'd get a warning as a domain user account only if IIS has been installed
on a Domain Controller. This may, or may not, be the IUSR_ account being
used by WSUS.
Post by dni
Can
these passwords be changed without messing up WSUS and if so where and how.
Yes, you'd need to change the password in two places:
[a] Change it in Active Directory Users and Computers.
[b] Change it on *every* DC-based installation of Internet Information
Services
[c] Do *NOT* change the password on IIS installations that are not on
DCs, because they're actually using a *local* account and password, not the
domain account and password.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Special Access
2007-05-31 00:36:54 UTC
Permalink
On Wed, 30 May 2007 14:28:02 -0700, dni
Post by dni
When we have an IT Audit we get flagged for domain user has no required
password. The accounts are IUSR_servername that were created by WSUS. Can
these passwords be changed without messing up WSUS and if so where and how.
Thanks.
IF I am reading this correct, you got tagged because the account "does
not require a password". If this is true, then run this command:

net user iusr_<servername> /passwordreq:yes

This will set the "password required" flag and should pass the DISA
scanner. It should be noted that setting this flag does NOT/NOT
require you to have or change the existing password.

Mike
Lawrence Garvin (MVP)
2007-05-31 02:41:16 UTC
Permalink
Post by Special Access
On Wed, 30 May 2007 14:28:02 -0700, dni
Post by dni
When we have an IT Audit we get flagged for domain user has no required
password. The accounts are IUSR_servername that were created by WSUS. Can
these passwords be changed without messing up WSUS and if so where and how.
Thanks.
IF I am reading this correct, you got tagged because the account "does
not require a password".
Good point, and my misunderstanding. Thanks for jumping in!
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Special Access
2007-05-31 09:36:09 UTC
Permalink
On Wed, 30 May 2007 21:41:16 -0500, "Lawrence Garvin \(MVP\)"
Post by Lawrence Garvin (MVP)
Post by Special Access
On Wed, 30 May 2007 14:28:02 -0700, dni
Post by dni
When we have an IT Audit we get flagged for domain user has no required
password. The accounts are IUSR_servername that were created by WSUS. Can
these passwords be changed without messing up WSUS and if so where and how.
Thanks.
IF I am reading this correct, you got tagged because the account "does
not require a password".
Good point, and my misunderstanding. Thanks for jumping in!
I have dealt with DISA security scans about weekly for the past 16-18
months. I have grown to hate them with a passion <grin>

Not sure if this is his problem, but it is an alternative.

Mike
dni
2007-05-31 14:16:01 UTC
Permalink
Yes the hit is that the user account has no required password. I will run the
net use command you suggested.

Thanks
Ozzie
Post by Special Access
On Wed, 30 May 2007 14:28:02 -0700, dni
Post by dni
When we have an IT Audit we get flagged for domain user has no required
password. The accounts are IUSR_servername that were created by WSUS. Can
these passwords be changed without messing up WSUS and if so where and how.
Thanks.
IF I am reading this correct, you got tagged because the account "does
net user iusr_<servername> /passwordreq:yes
This will set the "password required" flag and should pass the DISA
scanner. It should be noted that setting this flag does NOT/NOT
require you to have or change the existing password.
Mike
Loading...