IIS: Encrypting AppPool Identity Passwords

Welcome Forums General PowerShell Q&A IIS: Encrypting AppPool Identity Passwords

This topic contains 3 replies, has 2 voices, and was last updated by

4 years, 2 months ago.

  • Author
  • #20364

    Points: 21
    Rank: Member

    I have run into an issue when scripting AppPool identity passwords.

    If I go through the GUI, with IIS Manager, and set the identity/password (under ProcessModel) for an AppPool — the prompt seems to show that the password you are entering is encrypted.
    When I import the WebAdministration Module, and dive into the IIS PSDrive, I find that the password is sitting in clear text.

    Each example I find online that talks about setting this password is using the Set-ItemProperty command, which sets the password in plain text. I'm not sure how to work around this? TechNet documentation says that you should use the IIS Manager or AppCmd.exe to set it encrypted.

    Any help here would be appreciated. I am using IIS v8.

    # Using Set-ItemProperty to set the password
    $POSHSrvAcct = Get-Credential
    $NewWebsite = @{'SiteName'="poshtest.posh.com"
    Set-ItemProperty -Path "IIS:\AppPools\$($NewWebSite.SiteName)" -Name ProcessModel -Value @{
    # Retrieve password; Shows plain text actual password, regardless of using IIS Manager or not
    (Get-ItemProperty "IIS:\AppPools\$($NewWebSite.SiteName)" -Name ProcessModel).Password
  • #20365

    Points: 21
    Rank: Member

    Side note:

    I'm trying to see if it is possible to avoid someone being able to run this command:

    (ls IIS:\AppPools | Get-ItemProperty -Include ProcessModel).ProcessModel | select UserName,Password

    And now have all service accounts associated with web apppools, along with their plain-text passwords.

  • #20385

    Points: 24
    Team Member
    Rank: Member


    I think you've discovered a feature. The password is stored encrypted in the applicationHost.config via Set-ItemProperty but Get-Item/Get-ItemProperty show it decrypted regardless if the password was set via IIS Manager, AppCmd or PowerShell. I'm not aware of a way to prevent this because if you're an Administrator of a machine you own the machine anyway and can decrypt local passwords.

  • #20392

    Points: 21
    Rank: Member

    I had a feeling this was the case. I had seen the same results regarding the manager, AppCmd, and PowerShell and thought maybe I was doing something wrong.
    I wasn't aware that there was a 'feature' that would allow for the decryption of passwords like that until yesterday.

    I guess that means I can automate the service accounts attached to new AppPools of future IIS server builds that use the same accounts haha

    You has all the keys:

    # Computer that has IIS identity/passwords to pull
    $SourceComputerName = "WebServer01"
    # Pull all websites, and thus pull all nested usernames and passwords (if any)
    $AppPoolInfo = Invoke-Command -ComputerName $SourceComputerName -ScriptBlock {
      Import-Module WebAdministration
      ls IIS:\AppPools | Get-ItemProperty
    foreach ($NewWebSiteName in $NewWebSites) {
      $WebAppPool = ($AppPoolInfo | where {$_.Name -like "$NewWebsiteName"}).ProcessModel
      $null = Set-ItemProperty -Path "IIS:\AppPools\$NewWebSiteName" -Name ProcessModel -Value @{
      Clear-Variable WebAppPool
    # List all usernames/passwords
    # $AppPoolInfo.ProcessModel | select UserName,Password

The topic ‘IIS: Encrypting AppPool Identity Passwords’ is closed to new replies.