IIS: Encrypting AppPool Identity Passwords

I have run into an issue when scripting AppPool identity passwords.

If I go through the GUI, with IIS Manager, and set the identity/password (under ProcessModel) for an AppPool – the prompt seems to show that the password you are entering is encrypted.
When I import the WebAdministration Module, and dive into the IIS PSDrive, I find that the password is sitting in clear text.

Each example I find online that talks about setting this password is using the Set-ItemProperty command, which sets the password in plain text. I’m not sure how to work around this? TechNet documentation says that you should use the IIS Manager or AppCmd.exe to set it encrypted.

Any help here would be appreciated. I am using IIS v8.

# Using Set-ItemProperty to set the password
$POSHSrvAcct = Get-Credential
$NewWebsite = @{'SiteName'="poshtest.posh.com"
Set-ItemProperty -Path "IIS:\AppPools\$($NewWebSite.SiteName)" -Name ProcessModel -Value @{

# Retrieve password; Shows plain text actual password, regardless of using IIS Manager or not
(Get-ItemProperty "IIS:\AppPools\$($NewWebSite.SiteName)" -Name ProcessModel).Password

Side note:

I’m trying to see if it is possible to avoid someone being able to run this command:

(ls IIS:\AppPools | Get-ItemProperty -Include ProcessModel).ProcessModel | select UserName,Password

And now have all service accounts associated with web apppools, along with their plain-text passwords.


I think you’ve discovered a feature. The password is stored encrypted in the applicationHost.config via Set-ItemProperty but Get-Item/Get-ItemProperty show it decrypted regardless if the password was set via IIS Manager, AppCmd or PowerShell. I’m not aware of a way to prevent this because if you’re an Administrator of a machine you own the machine anyway and can decrypt local passwords.

I had a feeling this was the case. I had seen the same results regarding the manager, AppCmd, and PowerShell and thought maybe I was doing something wrong.
I wasn’t aware that there was a ‘feature’ that would allow for the decryption of passwords like that until yesterday.

I guess that means I can automate the service accounts attached to new AppPools of future IIS server builds that use the same accounts haha

You has all the keys:

# Computer that has IIS identity/passwords to pull
$SourceComputerName = "WebServer01"

# Pull all websites, and thus pull all nested usernames and passwords (if any)
$AppPoolInfo = Invoke-Command -ComputerName $SourceComputerName -ScriptBlock {
  Import-Module WebAdministration
  ls IIS:\AppPools | Get-ItemProperty

foreach ($NewWebSiteName in $NewWebSites) {
  $WebAppPool = ($AppPoolInfo | where {$_.Name -like "$NewWebsiteName"}).ProcessModel
  $null = Set-ItemProperty -Path "IIS:\AppPools\$NewWebSiteName" -Name ProcessModel -Value @{
  Clear-Variable WebAppPool

# List all usernames/passwords
# $AppPoolInfo.ProcessModel | select UserName,Password