IIS App pool account password reset

Normally, Windows domain accounts are used as identities to run IIS app pools. Whenever the password of a domain account is changed in the domain controller, the new password has to be updated individually in all associated app pools for web applications to run without any hindrances. With each domain account used to run numerous app pools, manually effecting all password changes is a tedious job for an IT admin.

Password Manager Pro has the ability to identify the IIS app pools that are run using a specific Windows domain account stored in Password Manager Pro. While resetting the password of the domain accounts stored in Password Manager Pro, it will find out the app pools which are run using that particular domain account and will automatically update the change in the app pool identities too after the domain account password is reset.

To add app pool accounts to Password Manager Pro and to achieve automated password resets, carry out the following steps in the GUI:

Summary of steps

  • Step 1: Add domain controller as a resource.
  • Step 2: Add domain member servers as new resources and create resource group.
  • Step 3: Add domain account used to run IIS AppPool.
  • Step 4: Configure remote password reset for IIS app pool account.
  • Step 5: Associate resource groups for the IIS app pool account.
  • Step 6: Verify supported IIS app pool accounts.
  • Step 7: Change password.

Note: Use-case illustration

For a quicker understanding of the procedure, the following references have been used in the steps:

  • Domain Controller is DC1.
  • Windows Domain Name is PMPDC.
  • Domain Administrator account is DA1
  • App pool accounts are A1 and A2.
  • Domain member servers that make use of the app pool account A1 are Win1, Win2, Win3, and Win4.
  • Resource Groups is RG1, consisting of Win1, Win2, Win3, and Win4.

Step 1: Add domain controller as a resource.

  • Navigate to "Resources" tab.
  • Click on "Add Resource" button, and select "Add Manually" from the dropdown.
  • In the pop-up form that opens, add the Domain Controller - DC1, as a new resource with 'Resource Type' as Windows Domain.
  • Supply the NETBIOS name - PMPDC, in upper case in the 'Domain Name' field.
  • Fill in the other details such as DNS.
  • Click "Save & Proceed".

Step 2: Add domain admin account and IIS app pool accounts.

  • Navigate to "Resources tab".
  • Click the "Resource Actions" icon against the newly added resource and select "Add Accounts" from the drop down list.
  • In the pop-up form that opens, add the domain administrator account DA1 and click "Add".
  • Then, continue to add the app pool accounts A1, A2 in the same way. When you are done, click "Save".

Step 3 - Add domain member servers as new resources and create resource group.

Continue adding the other member servers of the domain - Win1, Win2, Win3, and Win4 as new resources in the same way as explained above.

  • Navigate to "Resources" tab.
  • Click "Add Resources" button and add the member servers along with their respective local accounts.
  • Now, go to "Groups" tab and click on "Add group" button and select 'Dynamic Group' from the drop down.
  • In the pop-up form that opens, name the group as RG1 and choose 'Match any of the following'. Select Win1, Win2, Win3 and Win4.
  • Click 'Save'.

Alternate step: Automated discovery of resources and associated accounts

Instead of manual addition explained in Step 3, you can also discover the required resources and groups in your domain by following the steps given below:

  • Navigate to "Resources" tab.
  • Select 'Discover Resources' given at the top of the resources list.
  • Supply your domain details (PMPDC) in the 'Windows' screen and click 'Fetch Groups and OUs'.
  • From the enumerated list, select the Groups or OUs that you would like to import.
  • Hit 'Import'. This will fetch your Groups/OUs and list them under 'Groups', in this case.
  • The member servers in the imported Groups/OUs will also be listed individually under 'Resources' along with their respective local accounts.

Step 4 - Configure remote password reset for IIS app pool account.

Instead of manual addition explained in Step 3, you can also discover the required resources and groups in your domain by following the steps given below:

  • Navigate to "Resources" tab.
  • Click the "Resource Actions" icon against the WindowsDomain DC1 resource and select "Configure password reset" from the drop down.
  • In the pop-up form that appears, select the 'Domain Admin' (DC1) account as the 'Administrator Account'.
  • Click "Save".

Step 5 - Associate resource groups for the IIS app pool account.

  • Click on the WindowsDomain DC1 resource name.
  • In the UI that opens, click the "Account Actions" icon against the app pool account (M1 in this case) and then select "Edit account" from the drop down.
  • In the pop-up form that appears, associate resource groups for this service account by moving it to the other box.
  • Check 'Restart IIS AppPools' if you would like Password Manager Pro to restart the app pools immediately after their passwords are updated.
  • Click "Save".

Step 6 - Verify supported IIS app pool accounts

  • Click the WindowsDomain DC1 resource name.
  • Select the appPool account M1 and click the "IIS AppPool" button.
  • In the pop-up form that appears, click "Fetch Now" under "Supported IIS App Pool Accounts".
  • Password Manager Pro will scan and list all the app pools that are run in the servers with the respective app pool account. After reviewing the list, hit 'OK'.

Note: This step is just for verification purpose to check where the app pool account is being used. It is not mandatory.

Step 7 - Change password

  • Click on the WindowsDomain DC1 resource name.
  • Click the "Account Actions" icon against the app pool account M1 and then select "Change Password" from the drop down.
  • In the pop-up form that appears, either provide or generate a new password. Make sure to enable 'Apply password changes to the remote resource'.
  • Click "Save". Password Manager Pro will immediately reset the password in the domain first and then, automatically update the new password across all servers where M1 is used to run app pools.

Additional steps to schedule periodic password resets for IIS App Pool accounts

The aforementioned steps are adequate to carry out password resets for app pool accounts anytime on demand. If you would like to configure automatic password resets on a periodic basis, execute the additional steps given below:

To configure scheduled password reset for app pool accounts,

  • A resource group has to be first created consisting of all desired app pool accounts.
  • Click the "Actions" icon against the resource group and select "Scheduled password reset" from the drop down.
  • A pop-up form will open with a four step process through which required schedule can be created. The steps are explained below:

Step 1: Pre-notification

When passwords are scheduled to be reset at a specific time, notifications can be sent to the users beforehand giving them a heads up on the reset action.

To send notifications,

  • Select the number of days and/or hours and/or minutes prior to which notification is to be sent.
  • You can also specify the list of recipients for notification.
  • Users having access to passwords - users who possess any one of the share permissions (read only / read and write / manage) for the password, at the time when notification is generated.
  • Other Users/User groups - any other specific user(s) to be selected from the list.
  • E-mail Ids - to generate notifications to specified list of email aliases or email addresses.
  • Click "Next".

Step 2: Specify the new password

  • You have the option to specify the new password(s) to be used for resources during the execution of the scheduled task.
  • To specify a new password to be used, you have the option to either allot randomly generated unique passwords to the accounts based on the password policy set for the group or you can allot a new password to all the resources in accordance with the password policy already specified for the group.
  • You can also assign same password to all user accounts provided the password is changed during every schedule.
  • Select the desired choice and click "Next".

Step 3: Specify the reset schedule

Actual creation of the schedule for password reset is specified in this step. The reset can be performed one-time or it could be recurring at periodic intervals.

To specify the reset schedule
  • Select from the options - Once / Days / Monthly / Never and specify the other details required.
  • Click "Next".

Step 4: Post-reset notification

After the completion of password reset schedule, notifications regarding the completion of reset can be sent to all those who have access to the passwords.

To send notifications,

  • Specify the recipients for notifications.
  • Users having access to passwords - users who possess any one of the share permissions (read only / read and write / manage) for the password, at the time when notification is generated.
  • Other Users/User groups - any other specific user(s) to be selected from the list.
  • E-mail Ids - to generate notifications to specified list of email aliases or email addresses.
  • Click "Finish".
  • The required password reset schedule has been created. The setting could be saved as a template for use with configuring password reset schedule for another resource groups.

Upon completion of these steps, Password Manager Pro will continue to automatically reset the app pool account passwords on a periodic basis.

©2014, ZOHO Corp. All Rights Reserved.

Top