Setup: Server with IIS installed and a remote computer with PowerShell
Problem: IIS store the Application Pool Account password un-encrypted and is trivial to retrieve it. If you want to list all application pool accounts and their passwords use the following PowerShell command. You can even scan entire network/domain and make a list will all accounts used.
Solution:
$strComputer = "Insert here computer name" Get-WmiObject -computername $strComputer -namespace root\MicrosoftIISv2 -Query "Select * from IIsApplicationPoolSetting" -Authentication PacketPrivacy -Impersonation Impersonate | select name,WAM*
If you want to list for all computers in a domain
Get-QADComputer | %{ Get-WmiObject -computername $_.dNSHostName -namespace root\MicrosoftIISv2 -Query "Select * from IIsApplicationPoolSetting" -Authentication PacketPrivacy -Impersonation Impersonate | select name,WAM* }
Make sure you run the remote PowerShell console with enough permissions.
You can export the results to CSV :
Get-QADComputer | %{ Get-WmiObject -computername $_.dNSHostName -namespace root\MicrosoftIISv2 -Query "Select * from IIsApplicationPoolSetting" -Authentication PacketPrivacy -Impersonation Impersonate | select name,WAM* } | Export-Csv -NoTypeInformation C:\myfile.csv
Note: Get-QADComputer cmdlet is part of ActiveRoles