IIS App pool account password reset

IIS AppPool Account Password Reset

Normally, Windows domain accounts are used as identities to run IIS app pools. Whenever the password of a domain account is changed in the domain controller, the new password has to be updated individually in all associated app pools for web applications to run without any hindrances. With each domain account used to run numerous app pools, manually effecting all password changes is a tedious job for an IT admin.

PAM360 has the ability to identify the IIS app pools that are run using a specific Windows domain account stored in PAM360. While resetting the password of the domain accounts stored in PAM360, it will find out the app pools which are run using that particular domain account and will automatically update the change in the app pool identities too after the domain account password is reset.

To add app pool accounts to PAM360 and to achieve automated password resets, carry out the following steps in the GUI:

Summary of Steps

Add Domain Controller as a Resource
Add Domain Member Servers as New Resources and Create Resource Group
Add Domain Account Used to Run IIS AppPool
Configure Remote Password Reset for IIS AppPool Account
Associate Resource Groups for the IIS AppPool Account
Verify Supported IIS AppPool Accounts
Change Password

Note: Use-case illustration

For a quicker understanding of the procedure, the following references have been used in the steps:

Domain Controller is DC1.

Windows Domain Name is PAM360DC.

Domain Administrator account is DA1.

App pool accounts are A1 and A2.

Domain member servers that make use of the app pool account A1 are Win1, Win2, Win3, and Win4.

Resource Groups is RG1, consisting of Win1, Win2, Win3, and Win4.

1. Add Domain Controller as a Resource

Navigate to Resources tab.
Click on Add Resource button, and select Add Manually from the dropdown.
In the pop-up form that opens, add the Domain Controller - DC1, as a new resource with Resource Type as Windows Domain.
Supply the NETBIOS name - PAM360DC, in upper case in the Domain Name field.
Fill in the other details such as DNS.
Click Save & Proceed.

2. Add Domain Admin Account and IIS AppPool Accounts.

Navigate to Resources tab.
Click the Resource Actions icon against the newly added resource and select Add Accounts from the drop down list.
In the pop-up form that opens, add the domain administrator account DA1 and click Add.
Then, continue to add the app pool accounts A1, A2 in the same way. When you are done, click Save.

3. Add Domain Member Servers as New Resources and Create Resource Group

Continue adding the other member servers of the domain - Win1, Win2, Win3, and Win4 as new resources in the same way as explained above.

Navigate to Resources tab.
Click Add Resources button and add the member servers along with their respective local accounts.
Now, go to Groups tab and click on Add group button and select Dynamic Group from the drop down.
In the pop-up form that opens, name the group as RG1 and choose Match any of the following. Select Win1, Win2, Win3 and Win4.
Click Save.

Alternate step: Automated discovery of resources and associated accounts

Instead of manual addition explained in Step 3, you can also discover the required resources and groups in your domain by following the steps given below:

Navigate to Resources tab.
Select Discover Resources given at the top of the resources list.
Supply your domain details (PAM360DC) in the Windows screen and click Fetch Groups and OUs.
From the enumerated list, select the Groups or OUs that you would like to import.
Click Import. This will fetch your Groups/OUs and list them under Groups, in this case.
The member servers in the imported Groups/OUs will also be listed individually under Resources along with their respective local accounts.

4. Configure Remote Password Reset for IIS AppPool Account.

Instead of manual addition explained in Step 3, you can also discover the required resources and groups in your domain by following the steps given below:

Navigate to Resources tab.
Click the Resource Actions icon against the WindowsDomain DC1 resource and select Configure password reset from the drop down.
In the pop-up form that appears, select the 'Domain Admin' (DC1) account as the Administrator Account.
Click Save.

5. Associate Resource Groups for the IIS AppPool Account

Click on the WindowsDomain DC1 resource name.
In the UI that opens, click the Account Actions icon against the app pool account (M1 in this case) and then select Edit account from the drop down.
In the pop-up form that appears, associate resource groups for this service account by moving it to the other box.
Check Restart IIS AppPools if you would like PAM360 to restart the app pools immediately after their passwords are updated.
Click Save.

6. Verify Supported IIS AppPool Accounts

Click the WindowsDomain DC1 resource name.
Select the appPool account M1 and click the IIS AppPool button.
In the pop-up form that appears, click Fetch Now under Supported IIS App Pool Accounts.
PAM360 will scan and list all the app pools that are run in the servers with the respective app pool account. After reviewing the list, hit Ok.

Note: This step is just for verification purpose to check where the app pool account is being used. It is not mandatory.

7. Change Password

Click on the WindowsDomain DC1 resource name.
Click the Account Actions icon against the app pool account M1 and then select Change Password from the drop down.
In the pop-up form that appears, either provide or generate a new password. Make sure to enable Apply password changes to the remote resource.
Click Save. PAM360 will immediately reset the password in the domain first and then, automatically update the new password across all servers where M1 is used to run app pools.

Additional steps to schedule periodic password resets for IIS App Pool accounts

The aforementioned steps are adequate to carry out password resets for app pool accounts anytime on demand. If you would like to configure automatic password resets on a periodic basis, execute the additional steps given below:

To configure scheduled password reset for app pool accounts,

A resource group has to be first created consisting of all desired app pool accounts.
Click the Actions icon against the resource group and select Scheduled password reset from the drop down.
A pop-up form will open with a four step process through which required schedule can be created. The steps are explained below:

Step 1: Pre-notification

When passwords are scheduled to be reset at a specific time, notifications can be sent to the users beforehand giving them a heads up on the reset action.

To send notifications,

Select the number of days and/or hours and/or minutes prior to which notification is to be sent.
You can also specify the list of recipients for notification.
Users having access to passwords - users who possess any one of the share permissions (read only / read and write / manage) for the password, at the time when notification is generated.
Other Users/User groups - any other specific user(s) to be selected from the list.
E-mail Ids - to generate notifications to specified list of email aliases or email addresses.
Click Next.

Step 2: Specify the new password

You have the option to specify the new password(s) to be used for resources during the execution of the scheduled task.
To specify a new password to be used, you have the option to either allot randomly generated unique passwords to the accounts based on the password policy set for the group or you can allot a new password to all the resources in accordance with the password policy already specified for the group.
You can also assign same password to all user accounts provided the password is changed during every schedule.
Select the desired choice and click Next.

Step 3: Specify the reset schedule

Actual creation of the schedule for password reset is specified in this step. The reset can be performed one-time or it could be recurring at periodic intervals.

To specify the reset schedule:

Select from the options - Once / Days / Monthly / Never and specify the other details required.
Click Next.

Step 4: Post-reset notification

After the completion of password reset schedule, notifications regarding the completion of reset can be sent to all those who have access to the passwords.

To send notifications,

Specify the recipients for notifications.
Users having access to passwords - users who possess any one of the share permissions (read only / read and write / manage) for the password, at the time when notification is generated.
Other Users/User groups - any other specific user(s) to be selected from the list.
E-mail Ids - to generate notifications to specified list of email aliases or email addresses.
Click Finish.
The required password reset schedule has been created. The setting could be saved as a template for use with configuring password reset schedule for another resource groups.

Upon completion of these steps, PAM360 will continue to automatically reset the app pool account passwords on a periodic basis.


IIS AppPool Account Password Reset Normally, Windows domain accounts are used as identities to run IIS app pools. Whenever the password of a domain account is changed in the domain controller, the new password has to be updated individually in all associated app pools for web applications to run without any hindrances. With each domain account used to run numerous app pools, manually effecting all password changes is a tedious job for an IT admin. PAM360 has the ability to identify the IIS app pools that are run using a specific Windows domain account stored in PAM360. While resetting the password of the domain accounts stored in PAM360, it will find out the app pools which are run using that particular domain account and will automatically update the change in the app pool identities too after the domain account password is reset. To add app pool accounts to PAM360 and to achieve automated password resets, carry out the following steps in the GUI: Summary of Steps Add Domain Controller as a Resource Add Domain Member Servers as New Resources and Create Resource Group Add Domain Account Used to Run IIS AppPool Configure Remote Password Reset for IIS AppPool Account Associate Resource Groups for the IIS AppPool Account Verify Supported IIS AppPool Accounts Change Password Note: Use-case illustration For a quicker understanding of the procedure, the following references have been used in the steps: Domain Controller is DC1. Windows Domain Name is PAM360DC. Domain Administrator account is DA1. App pool accounts are A1 and A2. Domain member servers that make use of the app pool account A1 are Win1, Win2, Win3, and Win4. Resource Groups is RG1, consisting of Win1, Win2, Win3, and Win4. 1. Add Domain Controller as a Resource Navigate to Resources tab. Click on Add Resource button, and select Add Manually from the dropdown. In the pop-up form that opens, add the Domain Controller - DC1, as a new resource with Resource Type as Windows Domain. Supply the NETBIOS name - PAM360DC, in upper case in the Domain Name field. Fill in the other details such as DNS. Click Save & Proceed. 2. Add Domain Admin Account and IIS AppPool Accounts. Navigate to Resources tab. Click the Resource Actions icon against the newly added resource and select Add Accounts from the drop down list. In the pop-up form that opens, add the domain administrator account DA1 and click Add. Then, continue to add the app pool accounts A1, A2 in the same way. When you are done, click Save. 3. Add Domain Member Servers as New Resources and Create Resource Group Continue adding the other member servers of the domain - Win1, Win2, Win3, and Win4 as new resources in the same way as explained above. Navigate to Resources tab. Click Add Resources button and add the member servers along with their respective local accounts. Now, go to Groups tab and click on Add group button and select Dynamic Group from the drop down. In the pop-up form that opens, name the group as RG1 and choose Match any of the following. Select Win1, Win2, Win3 and Win4. Click Save. Alternate step: Automated discovery of resources and associated accounts Instead of manual addition explained in Step 3, you can also discover the required resources and groups in your domain by following the steps given below: Navigate to Resources tab. Select Discover Resources given at the top of the resources list. Supply your domain details (PAM360DC) in the Windows screen and click Fetch Groups and OUs. From the enumerated list, select the Groups or OUs that you would like to import. Click Import. This will fetch your Groups/OUs and list them under Groups, in this case. The member servers in the imported Groups/OUs will also be listed individually under Resources along with their respective local accounts. 4. Configure Remote Password Reset for IIS AppPool Account. Instead of manual addition explained in Step 3, you can also discover the required resources and groups in your domain by following the steps given below: Navigate to Resources tab. Click the Resource Actions icon against the WindowsDomain DC1 resource and select Configure password reset from the drop down. In the pop-up form that appears, select the 'Domain Admin' (DC1) account as the Administrator Account. Click Save. 5. Associate Resource Groups for the IIS AppPool Account Click on the WindowsDomain DC1 resource name. In the UI that opens, click the Account Actions icon against the app pool account (M1 in this case) and then select Edit account from the drop down. In the pop-up form that appears, associate resource groups for this service account by moving it to the other box. Check Restart IIS AppPools if you would like PAM360 to restart the app pools immediately after their passwords are updated. Click Save. 6. Verify Supported IIS AppPool Accounts Click the WindowsDomain DC1 resource name. Select the appPool account M1 and click the IIS AppPool button. In the pop-up form that appears, click Fetch Now under Supported IIS App Pool Accounts. PAM360 will scan and list all the app pools that are run in the servers with the respective app pool account. After reviewing the list, hit Ok. Note: This step is just for verification purpose to check where the app pool account is being used. It is not mandatory. 7. Change Password Click on the WindowsDomain DC1 resource name. Click the Account Actions icon against the app pool account M1 and then select Change Password from the drop down. In the pop-up form that appears, either provide or generate a new password. Make sure to enable Apply password changes to the remote resource. Click Save. PAM360 will immediately reset the password in the domain first and then, automatically update the new password across all servers where M1 is used to run app pools. Additional steps to schedule periodic password resets for IIS App Pool accounts The aforementioned steps are adequate to carry out password resets for app pool accounts anytime on demand. If you would like to configure automatic password resets on a periodic basis, execute the additional steps given below: To configure scheduled password reset for app pool accounts, A resource group has to be first created consisting of all desired app pool accounts. Click the Actions icon against the resource group and select Scheduled password reset from the drop down. A pop-up form will open with a four step process through which required schedule can be created. The steps are explained below: Step 1: Pre-notification When passwords are scheduled to be reset at a specific time, notifications can be sent to the users beforehand giving them a heads up on the reset action. To send notifications, Select the number of days and/or hours and/or minutes prior to which notification is to be sent. You can also specify the list of recipients for notification. Users having access to passwords - users who possess any one of the share permissions (read only / read and write / manage) for the password, at the time when notification is generated. Other Users/User groups - any other specific user(s) to be selected from the list. E-mail Ids - to generate notifications to specified list of email aliases or email addresses. Click Next. Step 2: Specify the new password You have the option to specify the new password(s) to be used for resources during the execution of the scheduled task. To specify a new password to be used, you have the option to either allot randomly generated unique passwords to the accounts based on the password policy set for the group or you can allot a new password to all the resources in accordance with the password policy already specified for the group. You can also assign same password to all user accounts provided the password is changed during every schedule. Select the desired choice and click Next. Step 3: Specify the reset schedule Actual creation of the schedule for password reset is specified in this step. The reset can be performed one-time or it could be recurring at periodic intervals. To specify the reset schedule: Select from the options - Once / Days / Monthly / Never and specify the other details required. Click Next. Step 4: Post-reset notification After the completion of password reset schedule, notifications regarding the completion of reset can be sent to all those who have access to the passwords. To send notifications, Specify the recipients for notifications. Users having access to passwords - users who possess any one of the share permissions (read only / read and write / manage) for the password, at the time when notification is generated. Other Users/User groups - any other specific user(s) to be selected from the list. E-mail Ids - to generate notifications to specified list of email aliases or email addresses. Click Finish. The required password reset schedule has been created. The setting could be saved as a template for use with configuring password reset schedule for another resource groups. Upon completion of these steps, PAM360 will continue to automatically reset the app pool account passwords on a periodic basis.