IIS App Pool Account Password Reset

Windows Domain accounts are used as identities to run IIS App Pools. Whenever the password of a domain account is changed in the domain controller, the new password has to be updated individually in all associated App Pools for web applications to run without any hindrance. With each domain account running numerous App Pools, changing all the passwords manually becomes tedious.

Password Manager Pro identifies the IIS App Pools that are run using a specific Windows domain account stored in the Password Manager Pro vault. While resetting the password of the domain accounts, Password Manager Pro will find out the IIS App Pools that run using that particular domain account and will automatically update the password change in the IIS App Pool identities too, immediately after the domain account password is reset.

(Applicable from build 10404 onwards)
Prerequisite:

Password Manager Pro identifies IIS App Pools that run using Windows Domain accounts by initiating a remote connection to the Windows Domain resources. To allow Password Manager Pro to do that, complete the below steps:

1. Download the .zip folder from this link and extract the remcom.exe file from the .zip folder.
2. Copy and paste the remcom.exe file into the <PMP Installation Folder>/bin directory.

Steps Required

To add IIS App Pool accounts to Password Manager Pro and to achieve automated password resets, carry out the following steps:

  1. Adding a Domain Controller as a Resource
  2. Adding a Domain Admin Account and IIS App Pool Accounts
  3. Creating a Resource Group
  4. Configuring Remote Password Reset for IIS App Pool Account
  5. Associating Resource Groups to the IIS App Pool Account
  6. Verifying Supported IIS App Pool Accounts
  7. Changing the App Pool Account Password

    7.1 Scheduling Periodic Password Resets for IIS App Pool Accounts

Notes:

For a quicker understanding of the procedure, the following references are used in the steps:

  1. Domain Controller is DC1.
  2. Windows Domain Name is PMPDC.
  3. Domain Administrator account is DA1.
  4. App pool accounts are A1 and A2.
  5. Domain member servers that make use of the App Pool account A1 are Win1, Win2, Win3, and Win4.
  6. Resource Groups is RG1, consisting of Win1, Win2, Win3, and Win4.

1. Adding a Domain Controller as a Resource

  1. Navigate to the Resources tab.
  2. Click Add Resource and select Add Manually from the drop down.
  3. In the Add Resource window, add the Domain Controller DC1 as a new resource and choose the Resource Type as Windows Domain.
  4. Supply the Domain Name as PMPDC in upper case.
  5. Fill in the other details such as DNS, Description etc.
  6. Click Save & Proceed. All the attributes entered for the new resource will be saved and you will be taken to the Add Accounts window.

2. Adding a Domain Admin Account and IIS App Pool Accounts

  1. In the Add Accounts window, enter a User Account name, password and confirm the password. Choose a password policy for the account from the Password Policy drop down.
  2. Click Add. The previously added account will be saved. Now, you can continue adding more App Pool accounts A1 and A2 in the same window.
  3. Once you are done, click Save. All the accounts will be added to the newly created Windows Domain resource DC1.

Using the above procedure, add more member servers of the domain such as Win1, Win2, Win3, and Win4 as new resources in Password Manager Pro and add their respective local accounts.

3. Creating a Resource Group

After adding all member servers as resources and their respective local accounts, follow the below steps to create a resource group:

  1. Navigate to the Groups tab, click Add group and select Dynamic Group from the drop down.
  2. In the Add Dynamic Groups window, enter the Group Name as RG1 and choose Match any of the following. Select the resources Win1, Win2, Win3 and Win4.
  3. Click Save. Dynamic Group RG1 will be created with the selected criteria. Now, whenever a resource matching to this criteria is added to Password Manager Pro, that group will automatically be added to this dynamic resource group.

Instead of manual addition explained in Step 3, you can also discover the required resources and groups in your domain by following the steps given below:

  1. Navigate to the Resources tab.
  2. Click Discover Resources from the top menu bar.
  3. Supply your domain details (PMPDC) and click Fetch Groups and OUs.
  4. From the enumerated list, select the Groups or OUs that you would like to import.
  5. Click Import. This action will fetch your Groups/OUs and list them under Groups automatically.
  6. The member servers in the imported Groups/OUs will also be listed individually under Resources along with their respective local accounts.

4. Configuring Remote Password Reset for the IIS App Pool Account

Follow the below steps to configure remote password reset for the IIS App Pool account:

  1. Navigate to the Resources tab.
  2. Click the Resource Actions icon beside the Windows Domain resource DC1 and choose Configure password reset from the drop down.
  1. In the pop-up form that appears, select the Domain Admin (DC1) account as the Administrator Account.
  2. Click Save. Remote password reset is configured and Password Manager Pro will carry out the password reset using the administrator account that was selected in the previous step.

5. Associating Resource Groups to the IIS App Pool Account

  1. Click the name of Windows Domain resource DC1. The Account Details window will open up.
  1. Click the Account Actions icon against the App Pool account (M1 in this case) and then choose Edit Account from the drop down.
  1. In the Edit Account window, associate resource groups for this service account by moving it to the other box.
  2. Check Restart beside IIS AppPools if you would like Password Manager Pro to restart the App Pools immediately after their passwords are updated.
  3. Click Save to save your settings.

6. Verifying Supported IIS App Pool Accounts

  1. Click the name of Windows Domain resource DC1. The Account Details window will open up.
  2. Select the App Pool account M1 and click IIS AppPool.
  3. In the pop-up form that appears, click Fetch Now under Supported IIS App Pool Accounts.
  4. Password Manager Pro will scan and list all the App Pools that are run in the servers with the respective App Pool account. After reviewing the list, click OK.

Note: This step is not mandatory, it is just to verify where the App Pool account is being used.

7. Changing the App Pool Account Password

  1. Click the name of Windows Domain resource DC1. The Account Details window will open up.
  2. Click the Account Actions icon beside the App Pool account M1 and select Change Password from the drop down.
  3. In the Change Password window, either provide or generate a new password. Enable the Apply password changes to the remote resource option.
  4. Click Save. Password Manager Pro will immediately reset the password in the domain first and then, automatically update the new password across all servers where the App Pool account M1 is used to run App Pools.

7.1 Scheduling Periodic Password Resets for IIS App Pool Accounts

The aforementioned steps are adequate to carry out password resets for App Pool accounts any time on demand. If you would like to configure automatic password resets on a periodic basis, execute the additional steps given below:

  1. Create a resource group will all the required App Pool accounts using the steps provided here.
  2. Click Actions beside the resource group and choose Periodic Password Reset from the drop down.
  3. In the Periodic Password Reset window, follow the procedure explained in this document and set up a schedule based on your requirement.

Once the schedule for periodic password reset is set, Password Manager Pro will continue to automatically reset the App Pool account passwords as per the schedule.

Top