To help ensure a secure environment for ArcGIS Server, Esri recommends you disable the primary site administrator account. This ensures the only way to administer ArcGIS Server is through the group or role you've specified in your identity store.
Before proceeding, ensure that the identity store you are planning to use to maintain the administrator accounts is in working order and available. If your identity store becomes corrupted or unavailable, you won't be able to log in to your site or use ArcGIS Server. To learn how to set up an identity store to work with ArcGIS Server, see Configure ArcGIS Server security.
Once the primary site administrator account has been disabled, changes to the identity store are not allowed.
If you used the primary site administrator account to register ArcGIS Web Adaptor with your site, and then you later disable the account, there is no need for you to reconfigure ArcGIS Web Adaptor. HTTP communication is not disrupted between ArcGIS Web Adaptor and the site after disabling the account.
Follow the steps below to disable the primary site administrator account.
- Grant administrator privileges to the roles in your identity store in which you want to have the same access as the primary site administrator account.
- Open the ArcGIS Server Administrator Directory and log in. Typically, this is located at http://gisserver.domain.com:6080/arcgis/admin.
- Click security > psa > disable.
- On the Operation - disable page, click Disable to disable the primary site administrator account.
Re-enable the primary site administrator account
There may be occasions when you want to reenable the primary site administrator account. For example, you're required to reenable the primary site administrator before you can change the identity store that is used to manage ArcGIS Server security.
If you want to reenable the primary site administrator account, log in to the ArcGIS Server Administrator Directory with an account that has administrative access. Browse to security > psa > enable to access a page that will allow you to reenable the account.
What if I don't have any other administrator accounts, or I forgot their passwords?
If you want to reenable the primary site administrator and you don't have the password of any account with administrative access, you can reenable the account using the password reset utility. You can also use this utility to help you recover the name and password of the primary site administrator.
- Log in to the ArcGIS Server machine.
- Open a command prompt window using the Run as administrator option.
- In the command prompt, browse to the folder <ArcGIS Server installation directory>\Server\tools\passwordreset, for example:
cd "C:\Program Files\ArcGIS\Server\tools\passwordreset"
- To reenable the primary site administrator account, run the provided utility PasswordReset.bat with the -e option.
- If you have forgotten the name of the account, run PasswordReset.bat with the -l option.
- If you have forgotten the password for the account, run PasswordReset.bat with the -p option.
passwordreset -p [new password]