To help ensure a secure environment for ArcGIS Server, it is recommended that you disable the primary site administrator account. This ensures the only way to administer ArcGIS Server is through the group or role you've specified in your identity store.
Caution:
If you choose not to disable the primary site administrator account, it is important that you change the password for the primary site administrator when someone who knows the password leaves your organization.
Before proceeding, ensure that the identity store you are planning to use to maintain the administrator accounts is in working order and available. If your identity store becomes corrupted or unavailable, you won't be able to sign in to your site or use ArcGIS Server. To learn how to set up an identity store to work with ArcGIS Server, see Control access in ArcGIS Server.
Note:
Once the primary site administrator account has been disabled, changes to the identity store are not allowed.
If you used the primary site administrator account to register ArcGIS Web Adaptor with your site, and then you later disable the account, you do not need to reconfigure ArcGIS Web Adaptor. HTTP communication is not disrupted between ArcGIS Web Adaptor and the site after disabling the account.
Follow the steps below to disable the primary site administrator account.
- Grant administrator privileges to the roles in your identity store in which you want to have the same access as the primary site administrator account.
- Open the ArcGIS Server Administrator Directory and sign in.
Typically, this is located at https://gisserver.domain.com:6443/arcgis/admin.
- Click security > psa > disable.
- On the Operation - disable page, click Disable to disable the primary site administrator account.
Re-enable the primary site administrator account
You may want to reenable the primary site administrator account. For example, you're required to reenable the primary site administrator before you can change the identity store that is used to manage ArcGIS Server security.
To reenable the primary site administrator account, sign in to the ArcGIS Server Administrator Directory with an account that has administrative access. Browse to security > psa > enable to access a page that will allow you to reenable the account.
Reenable the primary site administrator without other administrator accounts or without their passwords
If you want to reenable the primary site administrator and you don't have the password of any account with administrative access, you can reenable the account using the password reset utility. You can also use this utility to help you recover the name and password of the primary site administrator.
- Sign in to the ArcGIS Server machine.
- Open a new Bourne shell.
- Browse to the folder <ArcGIS Server installation directory>/server/tools/passwordreset.
- To reenable the primary site administrator account, run the provided utility passwordreset.sh with the -e option.
./passwordreset.sh -e
- If you have forgotten the name of the account, run passwordreset.sh with the -l option.
./passwordreset.sh -l
- If you have forgotten the password of the account, run passwordreset.sh with the -p option.
./passwordreset.sh -p [new password]