To help ensure a secure environment for ArcGIS Server, it's recommended that you disable the primary site administrator account. This ensures that there isn't another way to administer ArcGIS Server other than the group or role you've specified in your identity store.
Before proceeding, ensure that the identity store in which you are planning to use to maintain the administrator accounts is in working order and available. If your identity store becomes corrupted or unavailable, you won't be able to log in to your site or use ArcGIS Server. To learn how to set up an identity store to work with ArcGIS Server, see Configuring ArcGIS Server security.
Once the primary site administrator account has been disabled, changes to the identity store are not allowed.
If you used the primary site administrator account to register the ArcGIS Web Adaptor with your site, and then you later disable the account, there is no need for you to reconfigure the Web Adaptor. HTTP communication is not disrupted between the Web Adaptor and the site after disabling the account.
Follow the steps below to disable the primary site administrator account.
- Grant administrator privileges to the roles in your identity store in which you want to have the same access as the primary site administrator account.
- Open the ArcGIS Server Administrator Directory and log in. Typically, this is located at http://gisserver.domain.com:6080/arcgis/admin.
- Click security > psa > disable.
- On the Operation - disable page, click Disable to disable the primary site administrator account.
Re-enabling the primary site administrator account
There may be occasions when you want to re-enable the primary site administrator account. For example, you're required to re-enable the primary site administrator before you can change the identity store that is used to manage ArcGIS Server security.
If you want to re-enable the primary site administrator account, log in to the ArcGIS Server Administrator Directory with an account that has administrative access. Navigate to security > psa > enable to access a page that will let you re-enable the account.
What if I don't have any other administrator accounts or I forgot their passwords?
If you want to re-enable the primary site administrator and you don't have the password of any account with administrative access, you can re-enable the account using the password reset utility. You can also use this utility to help you recover the name and password of the primary site administrator.
- Log in to the ArcGIS Server machine.
- Open a new Bourne shell.
- Navigate to the folder <ArcGIS Server installation directory>/server/tools/passwordreset.
- To re-enable the primary site administrator account, run the provided utility passwordreset.sh with the -e option.
- If you have forgotten the name of the account, run passwordreset.sh with the -l option.
- If you have forgotten the password of the account, run passwordreset.sh with the -p option.
./passwordreset.sh -p [new password]