Event ID - 5153

Event Id5153
SourceMicrosoft-Windows-WAS
DescriptionThe Windows Process Activation Service (WAS) encountered an error attempting to look up the built in IIS_IUSRS group. There may be problems in viewing and setting security permissions with the IIS_IUSRS group. This happens if the machine has been joined and promoted to be a Domain Controller in a legacy domain. Please see the online help for more information and solutions to this problem. The data field contains the error number.
Event Information According to Microsoft :

Cause :

This event is logged when Windows Process Activation Service (WAS) encountered an error attempting to look up the built in IIS_IUSRS group.

Resolution :

Remap the built-in IIS accounts

IIS 7.0 uses several built-in Windows Server 2008 accounts, including the IIS_IUSRS group and the IUSR guest user account. These replace the _USR account that was created by IIS 6.0.

A problem occurs when a Windows Server 2008 computer that hosts IIS 7.0 becomes a domain controller (DC) of a non-Windows Server 2008 domain (that is, a DC of a Windows 2000 or Windows Server 2003 domain). When the DC promotion occurs, the new Windows Server 2008 built-in accounts are no longer available to IIS 7.0. Any Access Control List (ACL) that uses the built-in accounts will not be able to resolve to a friendly name, but will instead show their raw SID (Security Identifier) values.

To resolve this issue, run a script that will restore the mapping of SIDs to friendly names for the built-in accounts. The script must be run on the DC while it is connected to its Primary Domain Controller (PDC). This will reestablish access to the built-in accounts that IIS 7.0 requires. To obtain the script, see the Knowledge Base article 946139, IIS7 built-in accounts become unavailable after Domain Controller promotion.

Verify :

To perform this procedure, you must have membership in Administrators , or you must have been delegated the appropriate authority.

To verify that the WAS service is running:
  1. Open an elevated Command Prompt window. Click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .
  2. Type sc query was , and press ENTER. WAS is running if the state reported for the service is 4 RUNNING .
Reference LinksEvent ID 5153 from Microsoft-Windows-WAS

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh