Topic last updated—November 2007

The Internet Guest account IUSR_<computername> is used by Microsoft System Center Configuration Manager 2007 clients for anonymous access to BITS-enabled distribution points when accessing content without using Windows authentication. For example, in native mode, Configuration Manager 2007 client computers are authenticated by their PKI certificates. Because the PKI certificate is not mapped to a user or computer account, Configuration Manager 2007 native mode clients that access the content over HTTP use anonymous access from the Internet Guest account. (If the distribution point is not BITS-enabled or if the client cannot access the content over HTTP, the client can fall back to using server message blocks (SMBs), in which case clients use Windows authentication.) Also, when mobile device clients need to access content on distribution points, the mobile devices have no security context, so Configuration Manager 2007 has to give them anonymous access using the virtual directory configuration.

Required Rights and Permissions

If the distribution point is configured to allow anonymous access for mobile device clients, IUSR_<computername> must have access to the package or the advertisement will fail to run on mobile device clients.

If you support Internet-based clients, the package will fail if the IUSR account does not have NTFS permissions. In most cases, this is the desired result. For example, a user who works out of a home office and does not have an account in the organization's domain cannot be added to security groups. If security groups are used to restrict package access, the user is not a member and does not have NTFS permissions to the package. If you want the user to access the package, the package access must happen anonymously. The client will be allowed anonymous access only if it first presents a valid client authentication certificate.

Internet-based clients must use certificates to authenticate and then download the package using anonymous access, so Package Access Accounts cannot be used to restrict access based on user or group accounts.

If you remove the Internet Guest account from the Users group or if you remove the Users group as a Package Access Account, you can add the Internet Guest account explicitly to the package as a package access account with whatever permissions are required to access the package. Before doing so, verify that this will produce the desired results and is consistent with your security policy and your package access policy.

By default, the Internet Guest account is granted rights to Internet Information Services (IIS) resources, such as virtual directories. Removing the default permissions from the Internet Guest account to IIS resources used by Configuration Manager 2007 might cause Configuration Manager 2007 operations to fail and is not supported.

Account and Password Creation

The account is created automatically when IIS is installed. The password is created by the server and is set to never expire.

Account Location

The account is created on any server with IIS installed.

Account Maintenance

If the IUSR account becomes out of sync because of an attempted manual removal of IIS or a failed attempt to reset the password, it is possible to perform a manual reset. The password is stored in the IIS metabase and in the accounts database (Active Directory Domain Services if IIS is on a domain controller or the local account database on a member server). If you change the password in the user interface, you should use Metabase Explorer to reset the IUSR password in the metabase.xml or metabase.bin file. For more information, see

See Also