Administrator user is locked

Similar Messages

• Impact of J2EE_ADMIN / Administrator user getting locked

  Hi,
  What is the impact of J2EE_ADMIN / Administrator user getting locked in abap / java engines?  Will it effect startup of java server processes or java applications?  What are the other implications?
  Thanks,
  Abdul

  Hi Abdul,
  if the J2EE_ADMIN or Administrator user is locked then
  1. you cannot login to Visual Admin unless you define some other user with same authorization.
  2. any Jco-RFC using this user won't work.
  3. if you don't have any other user, you will have to activate SAP* user to unlock this user.
  Thanks,
  Sandeep

• Administrator User Account Locked

  Hi.
  I locked into my local portal with Admin user/pwd.
  It asks me to reset the pwd.
  I did it and I forgottenly given wrong password.
  When I tried to log in the portal with the Admin user/pwd, it is showing message as "Account Locked"
  Can anyone help on this issue.
  Regards
  Bala

  Hi Balachandar P,
  If you forgot or lock "Administrator or J2EE_ADMIN" password just follow below steps:
  <u><b>STEP-1: Enable "SAP*"</b></u>
  1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
  Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
  2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
  3.Double-click on the property "ume.superadmin.activated = TRUE"
  4.Double-click on the property "ume.superadmin.password=<Enter any password ex: abc123>"
  5.Save.
  6.Restart the engine.
  <u><b>STEP-2: Login with "SAP*" into portal</b></u>
  1. http://<host>:<Port>/useradmin/index.jsp
  2. Enter userid / password as" SAP* / <password ex: abc123>"
  3. Search for "Administrator" user
  4. Reset or change password for "Administrtor"
  <u><b>STEP-3: Disable "SAP*"</b></u>
  1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
  Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
  2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
  3.Double-click on the property "ume.superadmin.activated = FALSE"
  4.Save.
  5. Restart the engine.
  <u><b>STEP-4: Login with "Administrator"</b></u>
  1. http://<host>:<Port>/useradmin/index.jsp
  2. Enter userid / Password as "Administrator / <password>
  3. it will ask change password just change it.
  <b>Thanks,
  Nagaraju Parlapalli</b>

• Nw 7.3 user admin lock : Authentication failed. Password locked

  Hi expert.
  please help me
  i have a portal nw 7.3, but idont acceces ,  the administrator user  is lock.
  how i can this user?

  Please avoid double postings.
  The original question (where answers should be put, too) is here: Nw 7.3 user admin lock : Authentication failed. Password locked

• Domain Administrator account being locked up by PDC

  Hi everyone,
  My PDC is locking up my domain administrator (administrateur in french) account.
  System event logs :
  The SAM database was unable to lockout the account of Administrateur due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
  consider resetting the password of the account mentioned above.
  Level : Error
  Source : Directory-Services-SAM
  Event ID : 12294
  Computer : Contoso-PDC
  User : System
  There is absolutely no events in the security events log, not a single "Audit Failure" event for the "administrateur" account.
  I tried to change the name of the domain administrator account from "administrateur" to "administrator".
  Now there is "Audit failure" events poping up in the security event logs.
  Once again the Source Workstation is the PDC. I guess those events are there because it receive credential validation for an account who doesn't exist anymore since it have been renamed in "Administrator".
  Here is the detail log :
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: Administrateur
  Account Domain: CONTOSO
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: CONTOSO-PDC
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  On the PDC i checked :
  Services : None of them are started with the "administrateur" account
  Network Share : There is no network share ...
  Task Scheduler : None of the tasks are launch with the "administrateur" account.
  And the logon type (3:network) seem to indicate that the login comes from an other computer but i have nothing to look for, not a single IP.
  Any ideas?
  ps : Sorry for the probable english mistakes :(

  Hi,
  Thanks for you answers.
  San4wish :
  Lockout tool confirm that the domain administrator account is locked on my PDC. I didn't run eventcomb but i though it only helped parsing security event logs which i did "manually". Anyway i'll try eventcomb after this week end.
  About the conficker worm : I looked into it and this worm was exploiting a vulnerability in the server service. It have been patched by MS08-067 (KB958644) and this kb isn't available for Windows 2008 R2 and Windwos 2012 so i guess Windows 2008 R2 have
  fixed this vulnerabilty.
  So i doubt its a conficker type worm.
  Also i gave the PDC role to another DC (let's call him DC2) and now DC2 is locking the administrator account so it seems that the computer locking the account is doing it through the network and it's not something executed on the DCs.

• ABAP+JAVA System Copy -- Administrator account getting locked

  Hi,
  I am in the process of doing system copy of my portal to a new server. As per the SAP instructions, I had updated the JDK and SP levels of my EP to the latest supported ones.
  Now when i am doing JAVA Add-in Export of my system, SAPinst is throwing error that --
  "Error connecting to http://Entportal:50000/sap/monitoring/SystemInfoServlet. The provided user data might be incorrect or user might be locked.:
  and when I check the "administrator" user account, it is getting locked. Even though I manually unlock it and update the password is secure storage, still when I run SAPinst, again it is getting locked. I have also chnged the path of my temporary directory to c:\temp which has no spacees in it, according to SAP instructions.
  I have raised the issue through OSS, but still, in the mean time can sombody help me?
  Regards,
  Mandar

  Hi Akshay,
  I am not using any ID. SAPInst itself is trying to access systeminformationservlet using administrator account. at this stage it is failing to get the correct password and thats why my administrator account is getting locked.
  Regards,
  Mandar.

• PI 7.0 service users are locked

  Hi guys,
  We have PI7.0 installed and configured properly.
  We created a custom product and software component version in SLD and when we are trying to import it in IR we get "Unable to read software component versions from System Landscape Directory". Just to let you know PI is on one host and SLD on another.
  It is obvious that something is wrong with users in the communication between IB and SLD.
  We have tried everything:
  1) notes 764176, 768148, 720717, 741214, found on relevant posts.
  2) Exchange profile checks, we added extra roles to PIREPUSER, we replaced PIREPUSER in Exchange Profile with PISUPER, creating all PI service users with user roles in ABAP part of SLD etc... When I changed something in ABAP part, I performed "assign roles to user groups" in VA of Java part.
  However, I noticed that in SLD's UME in Java some of the PI service users are locked and I am unable to unlck them, since when I try to do so with user j2ee_admin, I get "There was an error. Please contact administrator"
  Any ideas??
  Evaggelos

  Thanks to both guys. I will award points.
  The problem was caused due to some PI users that were locked on the J2EE part of XI, and therefore they could not connect to the SLD. I unlocked them through VA 's, Security Provider service.
  Evaggelos

• Built in domain administrator... locked out?

  PART-1
  Today our built in domain administrator got locked out. From what I've read this is not possible. We were alerted on it and when I opened the object it said it was locked out. (I'll admit, I didn't try logging in with it). I double checked and the objects
  SID does indeed end in -500 which is indicative of it being the built in account.  
  I ran this query:
  $BA=(get-addomain).domainsid
  $BA.tostring() + "-500"
  and the only result I got back was the SID that matched the user in question.
  What's going on? Was it truly locked out? I guess we will run a test tomorrow but I wanted to reach out to the forums too.
  PART-2
  Once this account was locked out we went to the source server and found that it was no longer on the domain. Instead it was in a workgroup that had a name that resembled our domain. I checked the event log and there were a ton of errors with event ID 4097
  that said "The machine [machine-name] attempted to join the domain [FQ-domain-name]\[FQDN-of-PDC] but failed. The error code was 1326". These errors correspond with the time that the account was locked out. There were a ton of them...
  The account that was originally used to join this machine to the domain was the built in admin above (I know, not best practice). Regardless, why would it switch from domain to a workgroup? Why would it attempt to auto re-join? And why would it use the account
  originally used to join the domain? 

  I have found my answers...
  Part 1:
  The built-in administrator will get locked out and marked as locked out - however, when you go to log in with it, it will AUTOMATICALLY unlock the account. So essentially it cannot be locked out but it will give off the impression that it is.
  you can however disable the account. .... supposedly if you ever have to recover your domain in restore mode it will enable the account for you... .never had an opportunity to test that and I hope I don't
  Part 2:
  This is a vmware related issue. The machine tried to re-run custom specs. Please see the following vmware article if you are having the same issue.
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2078352
  This is related to deploying machines with custom specs in 5.1 with hosts on build 1743533 (ESXi 5.1 patch 4)

• User gets locked by an external system but which one?

  Hi,
  In an abap system, we have changed the password of our administration user. Afterwards, this user gets locked every 5 minutes, obviously because the user and old password has been used to set up communication from another system to the abap system. An RFC connection for instance or whatever. Sure it is possible to check all the systems you can think of to see if the user has been used for such a purpose. But how can you see in the system itself where the call comes from that locks it? I have tried the gateway tracefile but without success. Any suggestions?
  Regards,
  GK

  Hello,
  I would try transaction STAD.
  There you should find entries of type RFC with your user.
  If you double-click on the line, you get the details. Click on the RFC button.
                                as Client             as Server
  No. of targets                   0                     1
  Click on the highlighted 1 under "as server".
  You should get the needed info : the remote destination
  Target         TEST_DEV
  User ID        TESTOC
  RFC Caller     OCHRETIE
  Local  destin. bt1suk17v1_DEV_02                IP address xx.xx.xx.xx
  Remote destin. bt1suk16v1_DXI_68                IP address yy.yy.yy.yy
  Hope this helps
  Olivier

• Appplications using "Administrator" user id and password in J2EE engine...

  All,
  We have a EP 7.0 with SPS 14. Our "Administrator" user id account gets locked every now and then.
  Eventhough if we unlock it or change the password using configtool, it works for sometime..but,again the "Administrator" user id account gets locked.
  Somewhere some application is still using the old password. So,no matter what password we use or we updated the password everywhere..it works for some time and again the its getting locked.
  Can anybody tell me how to find all the applications using "administrator" user id and password or the applications which requires administrator user id directly or indirectly.
  Is nwds and nwdi deployment uses the "administrator" uidpw ?
  Note: We have already tried with updating the password using configtool and updated the password all the places.it works for some time and it gets locked again..Please help..Thanks.

  to Michael Nicholls  
  Addy 365 posts:        
  We have already tried with updating the password using configtool and updated the password all the places
  Yes from log it looks like impossible to check, but you can determine immediately whether the blockage occurs after restart, or only at certain times of the launch of a job ....
  To Addy 365
  search after restart the lines in security log like
  LOGIN.FAILED, and  try to recheck ol RFC  from all other system's you have in your enterprise ....
  P.S. first check are you have any available RFC listeners in JCO RFC provider.
  To Michael Nicholls    in ABAP side we can check in sm21 from with terminal blocking occurs, why Why the same is not implemented in JAVA? Or for this need special tool like Wily Introscope ?
  Regards.

• Administrative user only for install software but prevent intercative session

  Hello,
  as an university, we are not allowing domain users di write anything on the C:\ drive on our Win7/64 PCs; therefore users are unable to install any software and that is what we - usually - want.
  But there are some users (researchers, Teachers or labs) who sometimes need to install software in order to test it. So we created on their PCs a local user "install" as member of the local administrator Group. They should use it when
  UAC prompts them to give administrative rights to install software or with the "Run as administrator" right click. This works fine but unfortunately we noticed that many users are using the "install" account to do their daily work, so they
  are working the whole day long with the highest privileges and we do not want this for obvious security reasons.
  We want to leave the administrative user "install" for the software installation purpose but we want prevent users using it interactively; we couldn't find a way to do this. Is it possible ?
  In order to discourage users, we also made some tests giving the "install" local user, deny permission on the start menu, desktop and some other folders, so that they couldn't find programs and be very limited in using the installa account
  interactively, but this does not give the expected results (for example the user is able to create a folder on the desktop after a couple of popus warnings, or the start menu is not completely empty).
  Any ideas ?
  Thank you in advance.
  Best regards,
  Eric

  Hi,
  In my opinion, you can try to use AppLocker to accomplish this task. You can create a new pricple the allow specific user or group install application. Also the type of about to be installed app could be customized.
  You can allocate User group app install permission to make sure they could install APP unrestricted but doesn't have administrator rights.
  Please refer to the link below for more details about APP Locker:
  http://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx
  Roger Lu
  TechNet Community Support

• J2EE_ADMIN user getting locked frequently

  Hi SAP Guru's,
  The user J2EE_ADMIN in our nw2004s system is getting locked frequently. We have changed the password of this user in ABAP via SU01 & in JAVA in the secure store via configtool. The server was re-booted after doing these changes. Still the user J2EE_ADMIN is getting locked frequently. Also in SM21, we have a log <b>"J2EE_ADMIN locked due to incorrect logon"</b> for this locking which mentions the user as SAPJSF (Communication user between ABAP & JAVA).
  Is there a possibility that SAPJSF is locking the user J2EE_ADMIN ?? how & why ??
  Any help on this will be highly appreciated.
  Thanks,
  Sanjeev.

  have you solve this issue? we have the same!
  every half hour (xx:51:00 and xx:29:00), the J2EE_ADMIN user is locked by user SAPJSF transaction KRNL from the local host (terminal).
  We have changed the pass in secure store in configtool to the pass we used in abap.
  In "Visual Administrator" "Cluster>Server>Services-->Security Provider" the user have a checked box at "No password change required"
  We searched for other places with a wrong pass (Jco Connections = no J2EE_ADMIN used, SLD = no J2EE_ADMIN used), but found nothing.
  need help pls.
  regards
  chris

• BI Applications Administrator User : given name as Administrator

  Installing Oracle BI APPS 11.1.1.7.1 in Windows 2008 Server
  Run ConfigApps.bat
  Step 7 of 15
  BI Applications Administrator User
  Wrongly given the Username : Administrator
  Now, unable to login to repository in ODI.
  What are my options, how to resolve this issue.
  Thanks,
  Kal

  Yes, you will need to boot from the installer disc to reset the password. Changing the user name is a bit easier:
  Open Accounts preferences and click on the lock icon to authenticate. CTRL or RIGHT-click in the accounts list and select Advanced Options from the contextual menu. You can alter the account name by changing it in the Short Name: field. Make a change in the Home Directory: field to use the corresponding new short name in the path - /Users/newshortname. Click on the OK button, then restart the computer.

• Administrator user became standard now there is no way back

  I have been one of the lucky souls that after upgrading from 10.4 to 10.5 my user which was had admin rights has reverted to a standard one.
  Countless attempts to make it an administrator user have failed. I've logged in as root, changed the field in Account Preferences, but the setting is not saved. I have logged in as myself, then clicked the lock icon used the root user/password clicked on the make user and administrator, got the message that action will not take affect until one logs back in, but this didn't work either...
  Has anyone got any thoughts? Failing this I think I might have to do a complete re-build.... It is very annoying.

  OK...
  The article gave me some hints... I tried to do as above but was getting invalid path errors. Then I looked at the group membership of my user and found that I no longer have the group admin (surprise, surprise) but have these other groups called _lpadmin, _appserversadm, _appserverusr....
  Are these groups for real? working away on my trusty iBook 933 running OS-X 10.3 I found that my user on this machine has access to....
  05:10:06 theodorevass :/Users/theodorevass-(0)-> groups
  theodorevass appserverusr admin appserveradm
  Is it possible that the groups file has become corrupted? Can someone check on the 10.5 install using terminal the groups their admin user has access to, and if the groups file, in /etc/group has all these groups with underscores in them?

• Cant receive emails - error 'user mailbox locked'

  My emails are not filtering through to the 'mail' application on my mac.
  I use Virgin, also have a blackberry. I can get the emails from the Virgin site, the emails are coming through on my blackberry.
  I can send emails from 'mail'
  The error is - The mail server denied access to the account "xxxx" because an administrator or other mail client was using it when Mail tried to log in. Please try again later.
  The server error encountered was: user mailbox locked
  When I look at connection doctor the error is POP account failed, please make sure user name and password are correct.
  As far as I am aware I have not changed anything.
  Has anyone got any answers please?

  > The error is - The mail server denied access to the account "xxxx"
  because an administrator or other mail client was using it when Mail
  tried to log in. Please try again later.
  The server error encountered was: user mailbox locked
  Where/how does Mail display that error message?
  Are you accessing that mail account from other computers or devices, or by other means (e.g. webmail), when it happens?
  Could it be that you have more than one copy of the Mail application running? How many Mail icons do you see in the Dock?
  Have you tried restarting the computer?