IIS: Retrieve Application Pool Identity Credentials

The Issue

Recently one of our clients found themselves in a situation where they no longer knew the password for an AD account that was being used to run their SharePoint site.

Normally this would not cause an issue. One would simply change the password in AD and then update the application pool identity. With SharePoint this can cause some unwanted issues (especially if you are not 100% familier with your SP installation).

So the question was “How do we fix this?”

The Solution

The saving grace here is that the application pool still held valid login credentials for the account and, believe it or not, these credentials are not encrypted; well I say not encrypted, they are held in a meta data file that you probably wouldn’t want to chew through unless you had to.

So how do we get these details back out? Well the job is extreemly easy. All that is needed is an account that can log on to the server running the IIS service that has sufficient permission levels to run a Command Prompt as an administrator.

Once you have your Command Prompt open, simply navigate to the IIS folder

and then, using the appcmd application, export the application pool setting to the command prompt.

Note: You will need to replace the ‘MyApplicationPool’ with the name of the application pool as it appears in IIS.

Once the export has run you will be presented with a whole load of information about the application pool’s settings including the identity type and credentials.

But hold on. What’s that noise I hear in the background? Yep, that sounds like Security Alarms going off! When I first came across this little trick, the first thing that entered my head was the gaping hole in security. Thankfully, if you follow best practice, the accounts that you use for your application pools will only have access to the stuff that they need (and certainly wont be member of the Domain Admins group).

And with that I will leave most of you to bookmark and share this post and the rest of you wipe that look of panic off your face and jump on to your AD server to check those account access rights. I hope this tutorial is helpful and as usual, constructive critisism and suggestions are welcome.

This website uses cookies to provide the best possible experience. By continuing to use our website you are agreeing to our use of cookies.