Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 101 Source: IISADMIN

IISADMIN service recreated an account IWAM_<Machine>.
1. I have tried renaming the IUSR_ MachineName and IWAM_MachineName accounts, and finding and using the existing IIS passwords (using the procedure in ME297989) on a test computer. It caused some other Event IDs, but after a restart of the computer these stopped occurring.

2. An alternate approach that has also worked is to uninstall and reinstall IIS (from Control Panel -> Add/Remove Programs -> Add/Remove Windows Components). You need to restart the computer between the uninstall and reinstall of IIS (or the "IIS Administration service" will still be running and will cause the original IUSR_ MachineName and IWAM_MachineName accounts to be recreated).

If the IIS Lockdown tool is installed then uninstall it before uninstalling IIS. It may be reinstalled after IIS is reinstalled. If other software is installed then uninstall it before uninstalling IIS. It may be reinstalled after IIS is reinstalled. Save and restore any IIS web sites and settings if required.

3. This Event ID can be ignored if it occurs only once for the IUSR_ and IWAM_ accounts when a Windows 2000/2003 computer is promoted to a Domain Controller (it occurs after the restart of the computer that is required when DCPROMO finishes executing).
In my experience, on Windows 2000 domain controllers, the names must also be changed in any Group Policies that refer to them (e.g. Default Domain Controllers Policy). The account names here must now be replaced by names that are preceded by "<DomainName>\".

4. This event can be ignored if it occurred when Windows was started in Active Directory Restore mode or some other form of Safe Mode. Otherwise, investigate further.
IISADMIN recreated the IWAM_<MACHINE> account because was missing. Please see ME271071 for the purpose of IWAM_ and IUSR_ accounts.
I ran in to this event after un/reinstalling IIS 5.0 on W2k Server after the host name was changed. The IIS installer properly updates the Windows SAM and will show the new "correct" IUSR and IWAM users in user manager, but the metabase values in LM\W3SVC\ for NTAuthenticationProviders and IWAMUserName retain the old hostname mappings for these users. As a result, IISADMIN updates the Windows SAM as it believes these accounts are required. You may additionally see an IISPerfCntrs event (1003) which I believe to be a result of the IISADMIN service being active while the performance counters are being activated. I eliminated both events by editing these metabase values to reflect the correct IUSR and IWAM string values.
In my case, I had renamed my computer from Computer1 to Computer2 (for example), but the computer was still using IUSR_Computer1 to lauch IIS Out Of Process applications (which I had deleted since it was no longer the correct ID).  The solution was to open Component Services (Start, Programs, Administrator Tools, Component Services), expand Component Services > My Computer > COM+ Applications, right-click the IIS Out-Of-Process Pooled Applications icon, click Properties and verify that the correct IWAM account is displayed on the "Identity" tab.  If an incorrect account is displayed, enter the information for the correct account.  IMPORTANT: after you have done this, use the iwamsync.vbs script in the Inetpub\AdminScripts directory.  Reboot or restart IIS Admin and all accompanying services.
This may also be logged when you change the computer name AFTER installing IIS and then you change the IUSR or IWAM accounts to match your machine name. Simply renaming these accounts won't work - you need to edit the IIS metabase if you really want them to reflect your machine name. After searching multiple sources (including this one!) I found the best workaround:
- Rename the IUSR & IWAM accounts to match your machine name (i.e. "IUSR_NewMachineName")
- From a command prompt go to the \Inetpub\Adminscripts folder
- Type cscript adsutil.vbs set w3svc/anonymoususername "IUSR_NewMachineName"
- Type cscript adsutil.vbs set w3svc/wamusername "IWAM_NewMachineName"
- Follow MS ME297989 to get the passwords for IUSR & IWAM.
- Enter the new IWAM user name and the password in the Identity tab of the ''IIS Out-Of-Process Pooled Applications'' under Component Services\Computers\My Computer\COM+ Applications.
- Type IISRESET to restart IIS services.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.