IIS App pool account password reset
Normally, Windows domain accounts are used as identities to run IIS app pools. Whenever the password of a domain account is changed in the domain controller, the new password has to be updated individually in all associated app pools for web applications to run without any hindrances. With each domain account used to run numerous app pools, manually effecting all password changes is a tedious job for an IT admin.
Password Manager Pro has the ability to identify the IIS app pools that are run using a specific Windows domain account stored in Password Manager Pro. While resetting the password of the domain accounts stored in Password Manager Pro, it will find out the app pools which are run using that particular domain account and will automatically update the change in the app pool identities too after the domain account password is reset.
To add app pool accounts to Password Manager Pro and to achieve automated password resets, carry out the following steps in the GUI:
Summary of steps
- Step 1: Add domain controller as a resource.
- Step 2: Add domain member servers as new resources and create resource group.
- Step 3: Add domain account used to run IIS AppPool.
- Step 4: Configure remote password reset for IIS app pool account.
- Step 5: Associate resource groups for the IIS app pool account.
- Step 6: Verify supported IIS app pool accounts.
- Step 7: Change password.
Note: Use-case illustration
For a quicker understanding of the procedure, the following references have been used in the steps:
- Domain Controller is DC1.
- Windows Domain Name is PMPDC.
- Domain Administrator account is DA1
- App pool accounts are A1 and A2.
- Domain member servers that make use of the app pool account A1 are Win1, Win2, Win3, and Win4.
- Resource Groups is RG1, consisting of Win1, Win2, Win3, and Win4.
Step 1: Add domain controller as a resource.
Go to 'Resources' and click on 'Add Resource'. Add the Domain Controller - DC1, as a new resource with 'Resource Type' as Windows Domain. Supply the NETBIOS name - PMPDC, in upper case in the 'Domain Name' field. Fill in other details such as DNS. Hit 'Next'.
Step 2: Add domain admin account and IIS app pool accounts.
Add the domain administrator account - DA1, under this newly created resource and click 'Add'. Then, continue to add the app pool accounts - A1, A2, in the same way. When you are done, hit 'Finish'.
Step 3: Add domain member servers as new resources and create resource group.
Continue adding the other member servers of the domain - Win1, Win2, Win3, and Win4 as new resources in the same way as explained above. Go to Resources --> Add Resources and add the member servers along with their respective local accounts.
Now, go to 'Resource Groups' and click on 'Add Group'. Name the group as 'RG1' and under 'Group resources by', choose 'Picking individually'. Select Win1, Win2, Win3, and Win4 and hit 'Save'.
Alternate step: Automated discovery of resources and associated accounts
Instead of manual addition explained in Step 3, you can also discover the required resources and groups in your domain by following the steps given below:
Select 'Discover Resources'. Supply your domain details (PMPDC) in the 'Windows Discovery' screen and click 'Fetch Groups & OUs'.
From the enumerated list, select the Groups or OUs that you would like to import. Hit 'Import'. This will fetch your Groups/OUs and list them under 'Resource Groups', in this case - RG1.
The member servers (Win1, Win2, Win3, Win4) in the imported Groups/OUs will also be listed individually under 'Resources' along with their respective local accounts.
Step 4: Configure remote password reset for IIS app pool account.
Now, locate the Windows Domain (DC1) resource under 'Resources' tab and click on 'Edit Resource' icon
Step 5: Associate resource groups for the IIS app pool account.
Once again, locate your Windows Domain (DC1) resource and click on the resource name. The associated domain admin (DA1) and app pool (A1, A2) accounts will be listed. Now, click on the 'Edit User Account' icon
Step 6: Verify supported IIS app pool accounts.
Next, select the checkbox beside the app pool account (A1) and click on 'IIS AppPool' given above. In the new screen, hit 'Fetch Now' under 'Supported IIS AppPool Accounts'. Password Manager Pro will scan RG1 and list all the app pools that are run in the servers with the respective app pool account - A1. After reviewing the list, hit 'OK'.
Note: This step is just for verification purpose to check where the app pool account is being used. It is not mandatory.
Step 7: Change password.
For the final step, click on the 'Change Password' icon
Additional steps to schedule periodic password resets for IIS app pool accounts.
The aforementioned steps are adequate to carry out password resets for app pool accounts anytime on demand. If you would like to configure automatic password resets on a periodic basis, execute the additional step given below:
To configure scheduled password resets for app pool accounts, a resource group has to be first created consisting of all desired app pool accounts, in this case - A1 and A2. Refer here for steps on how to create a criteria-based resource group. After, select the 'Scheduled Password Reset' icon
Now, under 'Step 3 - Reset Schedule' , you can set the required interval for password reset in terms of days, weeks, or months. Hit 'Next' and set up post-reset notifications. Hit 'Finish'.
Upon completion of these steps, Password Manager Pro will continue to automatically reset the app pool account passwords on a periodic basis.