Recover a Lost System Administrator Account Password

The highest permission role in PAM is System Administrator and the account(s) assigned this role have elevated privileges to manage and maintain this software.

When the password for this account is lost or forgotten, it can become a potentially serious issue when it is needs to be used in PAM.

The good news is that you can recover from this situation in one of a few ways, assuming of course you have the required values.

This article will describe the methods that can be used to recover from a lost, forgotten or locked local System Administrator account password.

This articles deals with local user accounts with the System Administrator role. If your System Administrator account(s) are from an external user directory like Active Directory, then of course you can manage password recoveries and unlocks from this user directory directly.

It is recommended to have at least two System Administrator accounts for this, and other reasons, related to best practices in PAM.

Method #1

The first method describes how to reset a System Administrator account password when access to a second System Administrator account is available.

  1. Login to the System with your second System Administrator account.
  2. Navigate to Administration > Local Users
  3. Locate the account of the lost or forgotten System Administrator password and click its Edit button.
  4. Enter or generate a new password in the Password field.
  5. Repeat the new password in the Repeat Password field.
  6. Click the Save button to update the password.

You can now login to the other System Administrator account using its new password.

Method #2

The second method describes how to reset a System Administrator account password when access to a second System Administrator account is not available. This method requires access to the PAM host server and the Directory Password that was generated during the installation of the software.

  1. Login to the PAM host server and open a command prompt. This may require elevated or Admin privileges.
  2. Using this prompt, navigate to the directory where the System is installed ($PAM_HOME).
  3. From $PAM_HOME, enter the following command, replacing the placeholders in red with the values specific to your PAM instance.
  4. Windows:

    Copy
    bin\PamDirectory.cmd SetUserPassword web directoryServices.password systemAdmin.login -

    Linux:

    Copy
    bin/PamDirectory.sh SetUserPassword web directoryServices.password systemAdmin.login -

     

    directoryServices.password – is the Directory Password that is generated when PAM is installed on the node.

    systemAdmin.login – is the login name of the System Administrator account that will have its password reset.

    For example, to reset the password of your pamadmin account:

    Copy
    bin\PamDirectory.cmd SetUserPassword web u8DwvPE3y7itAS pamadmin -
    Copy
    bin/PamDirectory.sh SetUserPassword web u8DwvPE3y7itAS pamadmin -

     

  5. When prompted for New Password:, enter the new password for this System Administrator login account.
  6. If successful, then you will receive an Ok response.

    Copy
    c:\pam>bin\PamDirectory.cmd SetUserPassword web u8DwvPE3y7itAS pamadmin -
    New Password:
    Ok

     

You can now login to this System Administrator account using its new password.

Method #3

The third method describes how to reset a System Administrator account password when access to a second System Administrator account is not available. This method requires access to the PAM host server and the Master Password that was generated during the installation of the software.

This method differs from the second method by creating a new local user account and then assigning this new account the System Administrator role. When completed, you can then use this new System Administrator account to reset the original System Administrator account using Method #1.

  1. Login to the PAM host server and open a command prompt. This may require elevated or Admin privileges.
  2. Using this prompt, navigate to the directory where the System is installed ($PAM_HOME).
  3. From $PAM_HOME, enter the following command to create a new local user, replacing the placeholders in red with the values specific to your PAM instance.
  4. If you already have another existing local user account and do not wish to create a new one, you can skip this step for creating the account and proceed to the next to grant an existing one the System Administrator role.

    Windows:

    Copy
    bin\PamDirectory.cmd CreateUser web user.login user.firstname user.lastname user.password

     

    Linux:

    Copy
    bin/PamDirectory.sh CreateUser web user.login user.firstname user.lastname user.password

     

    user.login – is the login name for the new local user account.

    user.firstname – is the first name for the new local user account.

    user.lastname – is the last name for the new local user account.

    user.password – is the password for the new local user account.

    For example, to create a new local account with the login backupadmin, the full name Backup SysAdmin and the password Password123:

    Copy
    bin\PamDirectory.cmd CreateUser web backupadmin Backup SysAdmin Password123
    Copy
    bin/PamDirectory.sh CreateUser web backupadmin Backup SysAdmin Password123
  5. Next, we will assign this new local account or your existing local account the System Administrator role. From $PAM_HOME, enter the following command to assign the System Administrator role to a local account, replacing the placeholders in red with the values specific to your PAM instance.

Windows:

Copy
bin\PamDirectory.cmd DBMakeAdmin web user.login master.password

 

Linux:

Copy
bin/PamDirectory.sh DBMakeAdmin web user.login master.password

 

user.login – is the login name for the account that you wish to assign the System Administrator role.

master.password – is the Master Password that is generated when PAM is installed on the node.

For example, to assign the local account backupadmin the System Administrator role:

Copy
bin\PamDirectory.cmd DBMakeAdmin web backupadmin XzMFU88xFvgUeoKhO3C6TkmAn94KvN5M
Copy
bin/PamDirectory.sh DBMakeAdmin web backupadmin XzMFU88xFvgUeoKhO3C6TkmAn94KvN5M

 

If successful, then you will receive the response:

Copy
c:\pam>bin\PamDirectory.cmd DBMakeAdmin web backupadmin XzMFU88xFvgUeoKhO3C6TkmAn94KvN5M
Found the user
Admin created

 

You can now login to the System using the new account with the System Administrator role and use Method #1 to reset the password of the first System Administrator account. Afterward, you can use the first System Administrator account to remove this new account’s System Administrator role or keep it around as-is in case it is needed in the future.

Please keep in mind that this new account does indeed have the full privileges of the System Administrator role and should be secured with the same measures as all other System Administrator accounts.

Locked System Administrator Account

This last method is not necessarily due to a lost or forgotten password, but could be the result of trying to login too many times with the incorrect password which resulted in the System Administrator account being locked.

  1. In this situation, you could use a similar approach to Method #1 described above.
  2. Login to the System with your second System Administrator account.
  3. Navigate to Administration > Local Users
  4. Locate the account of the locked System Administrator account and click its Edit button.
  5. Click the Unblock button.

This account is now unlocked and you can try to login again.

If there is not a second System Administrator account, then you will need to use Method #3 as described above to create a new local account or assign the System Administrator role to an existing account and then use this new account to Unblock your current System Administrator account.