Question:

Hi ,

I have two web servers. One web server(w2k3Ent) and IIS 6.0 in a work group and One identical Web Server in the Domain. I want to now rename the Server names of the both, to comply some policy. Will the IIS functionality be affected because the IUSR accounts still be left with old computer names, can I go ahead and rename them as well.

Any Microsoft links and help is appreciated

Thanks,

Answer:

Well, if you are merely interested in Microsoft links on the question, then you should just search for them. I punched in "Rename IIS Computer Name site:support.microsoft.com" in my favorite search engine, and it came up with tons of hits. I trust you know how to do this yourself and sort through the noise - it is a necessary skill in this day and age.

By design, Microsoft links for support/troubleshooting assume the user knows nothing, so they optimize towards keyword/pattern matching which results in some resolution instruction steps that tell you HOW to resolve that pattern with little explanation of WHY. If you pattern match incorrectly, the resolution may not apply and may/not harm you. If you do not follow the instructions correctly, the resolution may not apply and may/not harm you.

What I am going to talk about are the details behind the scenes of what is going on because I trust that when someone understands the dependencies and what is actually going on, they can figure out how to do the right things themselves or even correctly react to unexpected things since everyone's system is unique.

Give a man a fish, and you feed him that night. Teach a man to fish, and he feeds himself forever.

About the Computer Rename...

IIS itself does not care about the name of the user accounts used for purposes like:

  • Anonymous authentication - no, it does NOT mean that everyone automatically has access. See this blog entry for details.
  • UNC Vdir Access
  • Application Pool Identity
  • COM+ Application Identity

Therefore, IIS definitely functions after renaming the computer. The question is whether all OTHER dependent applications running on or related to IIS are kosher with renaming the computer.

For examples of the hassles, see KB 234142 on renaming a NT4 server running IIS4 (I know, it is not applicable here, but you wanted details, right?)

Or, you may be running bad/broken applications which ASSUME that the username of the IIS anonymous user is based on the machine name (i.e. they assume the anonymous user's name is IUSR_<NewMachineName> instead of reading the value from IIS configuration). These applications will obviously be broken after the computer rename, and you will have to determine how to address that - either fix the application or change the anonymous user's name to match the broken assumption.

Now, if you DECIDE for whatever reason to rename the user accounts used by IIS after renaming the computer (remember, IIS does not need you to do anything), you need to be aware of how Windows user accounts work that can affect IIS behavior:

  1. If you create a NEW user account for use in IIS (as the anonymous user, for example), its SID will be DIFFERENT than the original anonymous user.
    • Since files are ACL'd by SID and NOT by username, you will have to re-ACL files/directories EVERYWHERE to re-secure against anonymous access.
    • You will also have to change IIS configuration to use the new user name since IIS stores and uses the username and NOT the SID for its user accounts.
  2. If you RENAME the existing user account in Windows to a new name, the SID stays the same, so you do not need to re-ACL anything... but you still need to change IIS configuration to use the new user name.

Some Helpful Scripts

Now, I do not have a script you can run as Administratior which re-ACLs files one username had access to another username... and I am not going to tackle that problem here because that is way outside the scope of IIS. Find your favorite batch/scripting support group for a solution to this one.

However, I do have a script named "RenameIISUser.bat" to do the IIS configuration changes from old name to new name. See the end of this blog entry.

For safety purposes, the script only displays what it will do. You can inspect the output to see if it is OK and then copy/paste the commands yourself, or you can remove SET DEBUG=ECHO to have the script take action.

I also have a script called SyncIISUser.bat that allows you sync user account passwords in IIS configuration assuming you know the username.

So, if you happen to rename the user account AND change its password, you can first run the script at the end of this blog entry to change the username in IIS configuration, and then run the other script to associate the new password with that username in IIS configuration.

For example, suppose you renamed IUSR_MachineName used for Anonymous Authentication to "New User Name" and also changed its password to "New Password". You would run the following commands, in order, to fix your IIS configuration:

RenameIISUser.bat Anonymous "IUSR_%COMPUTERNAME%" "New User Name"
SyncIISUser.bat Anonymous "New User Name" "New Password"

Enjoy.

//David

@IF ?%_ECHO%?==?? ECHO OFF
SETLOCAL
SET CMD_ADSUTIL=CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs
SET DEBUG=ECHO

IF ?%1? EQU ?? GOTO :Help
IF ?%2? EQU ?? GOTO :Help

IF /I ?%1? EQU ?Anonymous? SET PROPERTY_TO_FIND=AnonymousUserName
IF /I ?%1? EQU ?WAM?       SET PROPERTY_TO_FIND=WAMUserName
IF /I ?%1? EQU ?UNC?       SET PROPERTY_TO_FIND=UNCUserName

SET USERNAME_TO_MATCH=%2
SET NEW_PROPERTY_VALUE=%3

FOR /F "usebackq skip=1 tokens=*" %%I IN ( `%CMD_ADSUTIL% FIND %PROPERTY_TO_FIND%` ) DO (
    FOR /F "usebackq tokens=3,* delims= " %%J IN ( `%CMD_ADSUTIL% GET "%%I/%PROPERTY_TO_FIND%"` ) DO (
        IF /I ?%USERNAME_TO_MATCH%? EQU ?%%K? (
            %DEBUG% %CMD_ADSUTIL% SET "%%I/%PROPERTY_TO_FIND%" %NEW_PROPERTY_VALUE%
        )
    )
)

ENDLOCAL

GOTO :EOF



REM
REM Display syntax
REM
:Help
ECHO %~n0 {Anonymous^|WAM^|UNC} "UserName" "New UserName"
ECHO.
ECHO Find all [Anonymous^|WAM^|UNC] user accounts matching "UserName" in
ECHO IIS configuration and change it to "New UserName"
ECHO.