IIS App pool account password reset

Normally, Windows domain accounts are used as identities to run IIS app pools. Whenever the password of a domain account is changed in the domain controller, the new password has to be updated individually in all associated app pools for web applications to run without any hindrances. With each domain account used to run numerous app pools, manually effecting all password changes is a tedious job for an IT admin.

Password Manager Pro has the ability to identify the IIS app pools that are run using a specific Windows domain account stored in Password Manager Pro. While resetting the password of the domain accounts stored in Password Manager Pro, it will find out the app pools which are run using that particular domain account and will automatically update the change in the app pool identities too after the domain account password is reset.

To add app pool accounts to Password Manager Pro and to achieve automated password resets, carry out the following steps in the GUI:

Summary of steps

Step 1: Add domain controller as a resource.
Step 2: Add domain member servers as new resources and create resource group.
Step 3: Add domain account used to run IIS AppPool.
Step 4: Configure remote password reset for IIS app pool account.
Step 5: Associate resource groups for the IIS app pool account.
Step 6: Verify supported IIS app pool accounts.
Step 7: Change password.

Note: Use-case illustration

For a quicker understanding of the procedure, the following references have been used in the steps:

Domain Controller is DC1.
Windows Domain Name is PMPDC.
Domain Administrator account is DA1
App pool accounts are A1 and A2.
Domain member servers that make use of the app pool account A1 are Win1, Win2, Win3, and Win4.
Resource Groups is RG1, consisting of Win1, Win2, Win3, and Win4.

Step 1: Add domain controller as a resource.

Go to 'Resources' and click on 'Add Resource'. Add the Domain Controller - DC1, as a new resource with 'Resource Type' as Windows Domain. Supply the NETBIOS name - PMPDC, in upper case in the 'Domain Name' field. Fill in other details such as DNS. Hit 'Next'.

Step 2: Add domain admin account and IIS app pool accounts.

Add the domain administrator account - DA1, under this newly created resource and click 'Add'. Then, continue to add the app pool accounts - A1, A2, in the same way. When you are done, hit 'Finish'.

Step 3: Add domain member servers as new resources and create resource group.

Continue adding the other member servers of the domain - Win1, Win2, Win3, and Win4 as new resources in the same way as explained above. Go to Resources --> Add Resources and add the member servers along with their respective local accounts.

Now, go to 'Resource Groups' and click on 'Add Group'. Name the group as 'RG1' and under 'Group resources by', choose 'Picking individually'. Select Win1, Win2, Win3, and Win4 and hit 'Save'.

Alternate step: Automated discovery of resources and associated accounts

Instead of manual addition explained in Step 3, you can also discover the required resources and groups in your domain by following the steps given below:

Select 'Discover Resources'. Supply your domain details (PMPDC) in the 'Windows Discovery' screen and click 'Fetch Groups & OUs'.

From the enumerated list, select the Groups or OUs that you would like to import. Hit 'Import'. This will fetch your Groups/OUs and list them under 'Resource Groups', in this case - RG1.

The member servers (Win1, Win2, Win3, Win4) in the imported Groups/OUs will also be listed individually under 'Resources' along with their respective local accounts.

Step 4: Configure remote password reset for IIS app pool account.

Now, locate the Windows Domain (DC1) resource under 'Resources' tab and click on 'Edit Resource' icon next to it. In the edit screen, enable the 'Supply credentials for remote synchronization' option at the bottom and select the Domain Admin (DA1) account as the 'Administrator Account'. Hit 'Save'.

Step 5: Associate resource groups for the IIS app pool account.

Once again, locate your Windows Domain (DC1) resource and click on the resource name. The associated domain admin (DA1) and app pool (A1, A2) accounts will be listed. Now, click on the 'Edit User Account' icon next to the app pool account for which password has to be reset, A1 in this case. In the edit screen, select RG1 from the resource groups list and move it to the other box. Check 'Restart IIS AppPools' if you would like Password Manager Pro to restart the app pools immediately after their passwords are updated. Hit 'Save'.

Step 6: Verify supported IIS app pool accounts.

Next, select the checkbox beside the app pool account (A1) and click on 'IIS AppPool' given above. In the new screen, hit 'Fetch Now' under 'Supported IIS AppPool Accounts'. Password Manager Pro will scan RG1 and list all the app pools that are run in the servers with the respective app pool account - A1. After reviewing the list, hit 'OK'.

Note: This step is just for verification purpose to check where the app pool account is being used. It is not mandatory.

Step 7: Change password.

For the final step, click on the 'Change Password' icon next to A1. In the 'Change Password' screen, either provide or generate a new password. Make sure to enable 'Apply password changes to the remote resource' and hit 'Save'. Password Manager Pro will immediately reset the password in the domain first and then, automatically update the new password across all servers where A1 is used to run app pools.

Additional steps to schedule periodic password resets for IIS app pool accounts.

The aforementioned steps are adequate to carry out password resets for app pool accounts anytime on demand. If you would like to configure automatic password resets on a periodic basis, execute the additional step given below:

To configure scheduled password resets for app pool accounts, a resource group has to be first created consisting of all desired app pool accounts, in this case - A1 and A2. Refer here for steps on how to create a criteria-based resource group. After, select the 'Scheduled Password Reset' icon present next to the resource group. Configure email notifications and password to use as shown in the screenshots below. Hit 'Next'.

Now, under 'Step 3 - Reset Schedule' , you can set the required interval for password reset in terms of days, weeks, or months. Hit 'Next' and set up post-reset notifications. Hit 'Finish'.

Upon completion of these steps, Password Manager Pro will continue to automatically reset the app pool account passwords on a periodic basis.


IIS App pool account password reset Normally, Windows domain accounts are used as identities to run IIS app pools. Whenever the password of a domain account is changed in the domain controller, the new password has to be updated individually in all associated app pools for web applications to run without any hindrances. With each domain account used to run numerous app pools, manually effecting all password changes is a tedious job for an IT admin. Password Manager Pro has the ability to identify the IIS app pools that are run using a specific Windows domain account stored in Password Manager Pro. While resetting the password of the domain accounts stored in Password Manager Pro, it will find out the app pools which are run using that particular domain account and will automatically update the change in the app pool identities too after the domain account password is reset. To add app pool accounts to Password Manager Pro and to achieve automated password resets, carry out the following steps in the GUI: Summary of steps Step 1: Add domain controller as a resource. Step 2: Add domain member servers as new resources and create resource group. Step 3: Add domain account used to run IIS AppPool. Step 4: Configure remote password reset for IIS app pool account. Step 5: Associate resource groups for the IIS app pool account. Step 6: Verify supported IIS app pool accounts. Step 7: Change password. Note: Use-case illustration For a quicker understanding of the procedure, the following references have been used in the steps: Domain Controller is DC1. Windows Domain Name is PMPDC. Domain Administrator account is DA1 App pool accounts are A1 and A2. Domain member servers that make use of the app pool account A1 are Win1, Win2, Win3, and Win4. Resource Groups is RG1, consisting of Win1, Win2, Win3, and Win4. Step 1: Add domain controller as a resource. Go to 'Resources' and click on 'Add Resource'. Add the Domain Controller - DC1, as a new resource with 'Resource Type' as Windows Domain. Supply the NETBIOS name - PMPDC, in upper case in the 'Domain Name' field. Fill in other details such as DNS. Hit 'Next'. Step 2: Add domain admin account and IIS app pool accounts. Add the domain administrator account - DA1, under this newly created resource and click 'Add'. Then, continue to add the app pool accounts - A1, A2, in the same way. When you are done, hit 'Finish'. Step 3: Add domain member servers as new resources and create resource group. Continue adding the other member servers of the domain - Win1, Win2, Win3, and Win4 as new resources in the same way as explained above. Go to Resources --> Add Resources and add the member servers along with their respective local accounts. Now, go to 'Resource Groups' and click on 'Add Group'. Name the group as 'RG1' and under 'Group resources by', choose 'Picking individually'. Select Win1, Win2, Win3, and Win4 and hit 'Save'. Alternate step: Automated discovery of resources and associated accounts Instead of manual addition explained in Step 3, you can also discover the required resources and groups in your domain by following the steps given below: Select 'Discover Resources'. Supply your domain details (PMPDC) in the 'Windows Discovery' screen and click 'Fetch Groups & OUs'. From the enumerated list, select the Groups or OUs that you would like to import. Hit 'Import'. This will fetch your Groups/OUs and list them under 'Resource Groups', in this case - RG1. The member servers (Win1, Win2, Win3, Win4) in the imported Groups/OUs will also be listed individually under 'Resources' along with their respective local accounts. Step 4: Configure remote password reset for IIS app pool account. Now, locate the Windows Domain (DC1) resource under 'Resources' tab and click on 'Edit Resource' icon next to it. In the edit screen, enable the 'Supply credentials for remote synchronization' option at the bottom and select the Domain Admin (DA1) account as the 'Administrator Account'. Hit 'Save'. Step 5: Associate resource groups for the IIS app pool account. Once again, locate your Windows Domain (DC1) resource and click on the resource name. The associated domain admin (DA1) and app pool (A1, A2) accounts will be listed. Now, click on the 'Edit User Account' icon next to the app pool account for which password has to be reset, A1 in this case. In the edit screen, select RG1 from the resource groups list and move it to the other box. Check 'Restart IIS AppPools' if you would like Password Manager Pro to restart the app pools immediately after their passwords are updated. Hit 'Save'. Step 6: Verify supported IIS app pool accounts. Next, select the checkbox beside the app pool account (A1) and click on 'IIS AppPool' given above. In the new screen, hit 'Fetch Now' under 'Supported IIS AppPool Accounts'. Password Manager Pro will scan RG1 and list all the app pools that are run in the servers with the respective app pool account - A1. After reviewing the list, hit 'OK'. Note: This step is just for verification purpose to check where the app pool account is being used. It is not mandatory. Step 7: Change password. For the final step, click on the 'Change Password' icon next to A1. In the 'Change Password' screen, either provide or generate a new password. Make sure to enable 'Apply password changes to the remote resource' and hit 'Save'. Password Manager Pro will immediately reset the password in the domain first and then, automatically update the new password across all servers where A1 is used to run app pools. Additional steps to schedule periodic password resets for IIS app pool accounts. The aforementioned steps are adequate to carry out password resets for app pool accounts anytime on demand. If you would like to configure automatic password resets on a periodic basis, execute the additional step given below: To configure scheduled password resets for app pool accounts, a resource group has to be first created consisting of all desired app pool accounts, in this case - A1 and A2. Refer here for steps on how to create a criteria-based resource group. After, select the 'Scheduled Password Reset' icon present next to the resource group. Configure email notifications and password to use as shown in the screenshots below. Hit 'Next'. Now, under 'Step 3 - Reset Schedule' , you can set the required interval for password reset in terms of days, weeks, or months. Hit 'Next' and set up post-reset notifications. Hit 'Finish'. Upon completion of these steps, Password Manager Pro will continue to automatically reset the app pool account passwords on a periodic basis.
版权所有 ©2016, 卓豪（北京）技术有限公司，保留一切权利。