Setup: Server with IIS installed and a remote computer with PowerShell

Problem: IIS store the Application Pool Account password un-encrypted and is trivial to retrieve it. If you want to list all application pool accounts and their passwords use the following PowerShell command. You can even scan entire network/domain and make a list will all accounts used.

Solution:

$strComputer = "Insert here computer name"
Get-WmiObject -computername $strComputer -namespace root\MicrosoftIISv2 -Query "Select  * from IIsApplicationPoolSetting" -Authentication PacketPrivacy -Impersonation Impersonate |  select name,WAM*

If you want to list for all computers in a domain

Get-QADComputer | %{ Get-WmiObject -computername $_.dNSHostName -namespace root\MicrosoftIISv2 -Query "Select  * from IIsApplicationPoolSetting" -Authentication PacketPrivacy -Impersonation Impersonate |  select name,WAM* }

Make sure you run the remote PowerShell console with enough permissions.

You can export the results to CSV :

Get-QADComputer | %{ Get-WmiObject -computername $_.dNSHostName -namespace root\MicrosoftIISv2 -Query "Select  * from IIsApplicationPoolSetting" -Authentication PacketPrivacy -Impersonation Impersonate |  select name,WAM* } | Export-Csv -NoTypeInformation C:\myfile.csv

Note: Get-QADComputer cmdlet is part of ActiveRoles

Leave a Reply

Your email address will not be published.