Microsoft KB Archive/184566

= HOWTO: Set Up Duplicate Anonymous Accounts on Separate Servers =

PSS ID Number: 184566

Article Last Modified on 8/22/2001

-

The information in this article applies to:


 * Microsoft Visual InterDev 1.0
 * Microsoft Visual InterDev 6.0

-



This article was previously published under Q184566



SUMMARY
Active Server Pages (ASP) pages are often run under the security context of the Internet Guest Account (or, by default, the IUSR_ account). Within these ASP pages, when you reference files or databases on a computer other than the Web server, you must often duplicate this user (the Anonymous user account) on the remote computer. This is because, by default, the Internet Guest Account is a local computer account on the Web server and is not recognized by any other computer on the network. If you duplicate the Internet Guest Account on another computer, you can enable that remote computer to authenticate the account and allow access to resources on that computer.

This article is divided into the following sections:


 * Obtain the Anonymous Account User Name and Password from the Web Server
 * Create the Duplicate Account on the Remote Computer
 * Grant New Anonymous Account "Log on Locally" Rights



MORE INFORMATION
Use the following steps to set up a duplicate Anonymous account on the remote computer that is running Microsoft Windows NT or Microsoft Windows 2000:

Obtain the Anonymous Account User Name and Password from the Web Server
Before you can create a duplicate Anonymous account on a remote computer, you must first know the user name and password for the Anonymous account on the Web server. The user name and password for the new Anonymous account on the remote computer must match the one for the Anonymous account on the Web server.

In Windows NT 4.0
 At a command prompt, browse to the following folder:

:\WINNT\System32\Inetsrv\Adminsamples\

 At a command prompt, type the following command to obtain the Anonymous account user name for this Web site:

cscript adsutil.vbs get w3svc/anonymoususername

 At a command prompt, type the following command to obtain the password for the Anonymous account:

cscript adsutil.vbs get w3svc/anonymoususerpass



In Windows 2000
By default, the Adsutil.vbs file in Windows 2000 masks the Anonymous user password with asterisks. To obtain the password for the Anonymous account, first perform the following steps to modify the Adsutil.vbs file so that it displays the unmasked password:  In Notepad, open the Adsutil.vbs file (by default, this is located in the :\Inetpub\AdminScripts\ folder).</li> With Adsutil.vbs open in Notepad, on the Edit menu, click Find, and type the following string:

IsSecureProperty = True

and then click Find Next.</li> Change this string as follows:

IsSecureProperty = False

</li> Save the changes to Adsutil.vbs, and then close Notepad.</li></ol>

After you modify the Adsutil.vbs file, perform the following steps to obtain the Anonymous user name and password:  At a command prompt, browse to the following folder:

C:\Inetpub\AdminScripts\

</li> At a command prompt, type the following command to obtain the Anonymous account user name for this Web site:

cscript adsutil.vbs get w3svc/anonymoususername

</li> At a command prompt, type the following command to obtain the password for the Anonymous account:

cscript adsutil.vbs get w3svc/anonymoususerpass

</li></ol>

In Windows NT 4.0

 * 1) On the Start menu, click Run, and type usrmgr to open User Manager.
 * 2) On the User menu, click New User to open the New User dialog box.
 * 3) In the UserName text box, type the name of the Anonymous account that you obtained from the previous steps.
 * 4) Type and confirm the same password that is used for the Anonymous account on the Windows NT/Internet Information Server (IIS) server. The Full Name and Description boxes are optional.
 * 5) Clear the User must change password at next logon and Account disabled check boxes. Select the User cannot change password and Password never expires check boxes.
 * 6) To add the Anonymous account to the Guests group, click Groups, click Guests, and click Add.
 * 7) In the Group Memberships dialog box, click OK. To add this user, click Add in the New User dialog box.

In Windows 2000

 * 1) On the Start menu, point to Programs, point to Administrative Tools, and then click Computer Management. If Administrative Tools is not listed in the Programs menu, you can open it from the Windows Control Panel as well.
 * 2) Under Computer Management, click to expand the System Tools and Local Users and Groups nodes.
 * 3) Click the Users folder to display the list of local user accounts.
 * 4) On the Action menu, click New User.
 * 5) In the User name text box, type the name of the Anonymous account that you obtained from the previous steps.
 * 6) Type and confirm the same password that is used for the Anonymous account on the Web server. The Full Name and Description boxes are optional.
 * 7) Clear the User must change password at next logon and Account is disabled check boxes. Select the User cannot change password and Password never expires check boxes. Click Close to add the new user.
 * 8) To add the Anonymous account to the Guests group, click the Groups folder, double-click Guests, and click Add.

In Windows NT 4.0

 * 1) In User Manager, click Policies, and then click User Rights.
 * 2) In the User Rights Policy dialog box, click Show Advanced User Rights, and find Log on Locally in the right pane.
 * 3) Click Add to display the Add Users and Groups dialog box.
 * 4) In the List Names From box, scroll to the top of the list, and then click the local computer name.
 * 5) Click Show Users, and then click the new Anonymous account that you created. Click Add. The Anonymous account should now appear in the Add Names list. Click OK to exit the dialog box and save the settings.
 * 6) Click Log on Locally, and confirm that the Anonymous account appears in the list. Be sure to add the Anonymous account that you have just created and not the local Anonymous account for IIS 4.0 on this computer.

In Windows 2000

 * 1) On the Start menu, point to Programs, point to Administrative Tools, and then click Local Security Policy.
 * 2) Under Security Settings, click to expand the Local Policies node, and then click User Rights Assignment.
 * 3) In the right pane, under Policy, double-click Log on locally.
 * 4) Click Add to display the Select Users or Groups dialog box.
 * 5) In the Look in drop-down list box, click the local computer.
 * 6) Click the new Anonymous account, click Add, and then click OK. Be sure to add the Anonymous account that you have just created and not the local Anonymous account for IIS 5.0 on this computer.

<div class="references_section">