π ~1 min read
Table of contents
Symptom & Impact
IIS-hosted application returns 503 because its app pool identity cannot log on after account password expiry or lockout. Critical portals and APIs fail until identity is corrected.
Environment & Reproduction
Most common with custom domain service accounts configured for app pools and manual password rotation.
Import-Module WebAdministration
Get-ItemProperty IIS:/AppPools/ -Name processModel
Get-WinEvent -LogName System -MaxEvents 50 | Where-Object {$_.Id -in 7023,7000,5057}
net user /domainRoot Cause Analysis
Failure occurs when IIS stores stale credentials for app pool identity or AD policy expires/locks the account, preventing worker process token creation.
Quick Triage
Confirm account state and test pool startup after credential refresh.
Get-WebAppPoolState -Name ''
%windir%/system32/inetsrv/appcmd list apppool '' /text:processModel
Get-EventLog -LogName System -Newest 40 | Where-Object {$_.Source -match 'WAS|IIS'}Step-by-Step Diagnosis
Validate app pool identity, rights assignment, and local security policy affecting batch/service logon.
secedit /export /cfg C:/Temp/secpol.cfg
Select-String -Path C:/Temp/secpol.cfg -Pattern 'SeServiceLogonRight|SeBatchLogonRight'
whoami /all
Solution β Primary Fix
Update app pool credentials to current password, unlock account if required, and recycle IIS services.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
%windir%/system32/inetsrv/appcmd set apppool '' /processModel.userName:DOMAINsvc_web /processModel.password: /processModel.identityType:3
%windir%/system32/inetsrv/appcmd recycle apppool /apppool.name:''
iisreset /noforce
Solution β Alternative Approaches
Migrate to gMSA-backed app pool identity to avoid password expiry disruptions.
Install-ADServiceAccount -Identity gmsaWeb
Test-ADServiceAccount gmsaWeb
# Configure app pool identity to gMSA in IIS Manager or appcmd with proper syntaxVerification & Acceptance Criteria
Site health checks succeed, app pool remains started, and no further identity logon failures appear in System logs.
Get-WebAppPoolState -Name ''
Invoke-WebRequest -Uri 'http://localhost/' -UseBasicParsing
Get-WinEvent -LogName System -MaxEvents 30 | Where-Object {$_.Message -match 'identity|logon'}Rollback Plan
If new credentials fail unexpectedly, restore prior identity configuration and switch site to maintenance mode while correcting AD state.
%windir%/system32/inetsrv/appcmd set apppool '' /processModel.identityType:4
%windir%/system32/inetsrv/appcmd recycle apppool /apppool.name:''Prevention & Hardening
Track service-account password lifecycle, enforce pre-expiry alerts, and prefer gMSA for IIS workloads.
Get-ADUser -Identity -Properties PasswordLastSet,LockedOut
Get-ScheduledTask | Where-Object {$_.TaskName -match 'IIS|Account'}Related Errors & Cross-Refs
Related to WAS Event ID 5057/5021, HTTP 503.0, and AD lockout Event ID 4740 for app pool identities.
View all Windows Server 2022 tutorials on the Tutorials Hub β
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Microsoft docs for IIS application pool identities, service logon rights, and gMSA deployment on Windows Server 2022.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
