Prevent locking of Administrator account

Hello,
We'd like to expose our portal to the internet. This means everyone will be able to logon to the portal (after creating an UME user account). UME is configured to lock user accounts after 3 invalid login attempts.
Now how can we prevent anonymous internet users to lock the Administrator account or other system accounts like ADSUser?
The first option would be to implement this on the revert proxy, e.g. block requests containing j_user=Administrator either in the URL during a GET request or in the body during a POST request.
However, because of performance reasons, especially because of the need to scan all POST requests, this option doesn't look very attractive.
A second option would be to deploy a new JAAS LoginModule, configured to be always executed as the first one, that checks the username first and halts the login process if the username is Administrator and the request is coming from a certain IP (the reversed proxy), e.g. by throwing a RuntimeException in the login method (will that work? any other possibility besides throwing a RuntimeException?).
This doesn't look as very clean solution either.
What would be the best (safe, clean, easy) way to stop anonymous users from locking the Administrator user account?
Thanks!
Sigiswald

At the end we decided to write a custom LoginModule anyway.
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
import com.sap.engine.lib.security.LoginExceptionDetails;
import com.sap.engine.lib.security.http.HttpGetterCallback;
import com.sap.security.api.IUser;
import com.sap.security.api.NoSuchUserException;
import com.sap.security.api.UMException;
* <p>
* <div>This LoginModule either succeeds or fails, but in fact it
* <u>never</u> authenticates the user. What is meant is that even if
* all relevant methods of the LoginModule API - i.e. login and commit
* - return true, indicating success, the Subject is never
* authenticated. Therefore this LoginModule should <u>never</u> be
* configured as SUFFICIENT.</div>
* </p>
* <p>
* <div>The purpose of this LoginModule is to abort the authentication
* process in case an unauthorized user tries to authenticate as
* administrator and thus it stops unauthorized users from locking
* administrator accounts.</div>
* </p>
* <p>
* <div>This LoginModule accepts two optional configuration
* options:<ul>
* <li>ip_allow</li>
* <li>ip_deny</li></ul>
* The value of both options is a comma separated list of IPv4 ranges.
* e.g.
* <code>ip_allow=145.50.76.81,145.50.77.0-145.50.77.255,194.196.236.70-194.196.236.71</code>
* The localhost is added implicitly.</div>
* </p>
* <p>
* <div>If the IP address of the client that sent the HTTP request is
* within the range(s) defined by ip_allow and is not within the
* range(s) defined by ip_deny, authentication succeeds. If this is
* not the case, authentication fails if the user tries to
* authenticate by username (and password) and supplies the username
* of an existing UME user that is assigned the internal_use_only
* role. Otherwise, authentication succeeds.</div>
* </p>
* <p>
* <div>To meet its purpose, i.e. prevent the locking of administrator
* user accounts, this LoginModule <u>should</u> be configured as
* <u>REQUISITE</u> and should be in the login stack <u>before</u> the
* standard BasicPasswordLoginModule.</div>
* </p>
* @author smadou
public final class AdministratorFilterLoginModule extends AbstractLoginModule {
private static final String INTERNAL_USE_ONLY =
    LogonUtil.getRoleid("internal_use_only");
private static final String IP_ALLOW = "ip_allow";
private static final String IP_DENY = "ip_deny";
private static boolean initialized;
private static List IPRANGE_ALLOW = new ArrayList();
private static List IPRANGE_DENY = new ArrayList();
private CallbackHandler callbackHandler;
private boolean succeeded;
public void initialize(
    Subject subject,
    CallbackHandler callbackHandler,
    Map sharedState,
    Map options) {
    super.initialize(subject, callbackHandler, sharedState, options);
    this.callbackHandler = callbackHandler;
    this.succeeded = false;
    AdministratorFilterLoginModule.initialize(options);
public boolean login() throws LoginException {
    try {
      if (ipAllowed()) {
        succeeded = true;
        return true;
    } catch (UnsupportedCallbackException e) {
      throwUserLoginException(e);
    } catch (IOException e) {
      throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
    String logonid = null;
    IUser user = null;
    String userid = null;
    try {
      logonid = getLogonid();
      user = logonid == null ? null : LogonUtil.getUser(logonid);
      userid = user == null ? null : user.getUniqueID();
    } catch (UnsupportedCallbackException e) {
      throwUserLoginException(e);
    } catch (IOException e) {
      throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
    } catch (NoSuchUserException e) {
      // TODO connect to NetWeaver logging API - DEBUG
      e.printStackTrace();
    } catch (UMException e) {
      throwUserLoginException(e);
    if (userid == null) {
      return true;
    if (user.isMemberOfRole(INTERNAL_USE_ONLY, LogonUtil.RECURSIVE)) {
      throwNewLoginException(
        "Access Denied to user with logonid "
          + logonid
          + " having role "
          + INTERNAL_USE_ONLY
          + "!");
    succeeded = true;
    return true;
public boolean commit() throws LoginException {
    return succeeded;
public boolean abort() throws LoginException {
    return succeeded;
public boolean logout() throws LoginException {
    succeeded = false;
    return true;
private static synchronized void initialize(Map options) {
    if (initialized) {
      return;
    IPRANGE_ALLOW.addAll(Arrays.asList(AddressRange.parseRanges("127.0.0.1")));
    try {
      IPRANGE_ALLOW.addAll(
        Arrays.asList(
          AddressRange.parseRanges(
            InetAddress.getLocalHost().getHostAddress())));
    } catch (UnknownHostException e) {
      // TODO connect to NetWeaver logging API - INFO
      e.printStackTrace();
    String ipAllow = (String) options.get(IP_ALLOW);
    String ipDeny = (String) options.get(IP_DENY);
    if (ipAllow != null && ipAllow.length() > 0) {
      IPRANGE_ALLOW.addAll(Arrays.asList(AddressRange.parseRanges(ipAllow)));
    if (ipDeny != null && ipDeny.length() > 0) {
      IPRANGE_DENY.addAll(Arrays.asList(AddressRange.parseRanges(ipDeny)));
    initialized = true;
private String getClientIp()
    throws UnsupportedCallbackException, IOException {
    HttpGetterCallback hgc = new HttpGetterCallback();
    hgc.setType(HttpGetterCallback.CLIENT_IP);
    callbackHandler.handle(new Callback[] { hgc });
    return (String) hgc.getValue();
private String getLogonid()
    throws IOException, UnsupportedCallbackException {
    NameCallback nc = new NameCallback("username: ");
    callbackHandler.handle(new Callback[] { nc });
    return nc.getName();
private boolean ipAllowed()
    throws UnsupportedCallbackException, IOException {
    String clientIp = getClientIp();
    return match(IPRANGE_ALLOW, clientIp) && !match(IPRANGE_DENY, clientIp);
private boolean match(List ipRanges, String ip) {
    for (Iterator i = ipRanges.iterator(); i.hasNext();) {
      AddressRange range = (AddressRange) i.next();
      if (range.match(ip)) {
        return true;
    return false;
import com.sap.security.api.IRole;
import com.sap.security.api.IRoleFactory;
import com.sap.security.api.IUser;
import com.sap.security.api.IUserFactory;
import com.sap.security.api.NoSuchRoleException;
import com.sap.security.api.NoSuchUserException;
import com.sap.security.api.UMException;
import com.sap.security.api.UMFactory;
* @author smadou
public final class LogonUtil {
static final boolean RECURSIVE = true;
static String getRoleid(String uniqueName) {
    try {
      IRoleFactory rf = UMFactory.getRoleFactory();
      IRole role = rf.getRoleByUniqueName(uniqueName);
      return role.getUniqueID();
    } catch (NoSuchRoleException e) {
      // TODO connect to NetWeaver logging API - WARN
      e.printStackTrace();
      throw new SecurityException(
        "NoSuchRoleException while getting role with unique name ""
          + uniqueName
          + "": "
          + e.getMessage());
    } catch (UMException e) {
      // TODO connect to NetWeaver logging API - WARN
      e.printStackTrace();
      throw new SecurityException(
        "UMException while getting role with unique name ""
          + uniqueName
          + "": "
          + e.getMessage());
static IUser getUser(String logonid)
    throws NoSuchUserException, UMException {
    IUserFactory uf = UMFactory.getUserFactory();
    return uf.getUserByLogonID(logonid);
* This code is based on
* http: //drc-dev.ohiolink.edu/browser/fedora-core/tags/2.0/src/java/fedora/server/security/IPRestriction.java
* @author smadou
public final class AddressRange {
private static final int IP_OCTETS = 4;
private static final int OCTET_MIN = 0;
private static final int OCTET_MAX = (int) Math.pow(2, 8) - 1;
private long start;
private long end;
private AddressRange(long start, long end) {
    this.start = start;
    this.end = end;
public boolean match(String address) {
    return match(parseAddress(address));
private boolean match(long address) {
    return address >= start && address <= end;
private static long parseAddress(String address) {
    String[] octets = address.split("\.");
    if (octets.length != IP_OCTETS) {
      throw new IllegalArgumentException("invalid adress: "" + address + """);
    long lAddress = 0;
    for (int i = 0, n = octets.length; i < n; i++) {
      lAddress += parseOctet(octets[ i ], n - i - 1);
    return lAddress;
private static long parseOctet(String octet, int byteNum)
    throws NumberFormatException {
    long lOctet = Long.parseLong(octet);
    if (lOctet < OCTET_MIN || lOctet > OCTET_MAX) {
      throw new IllegalArgumentException("invalid octet: "" + octet + """);
    return lOctet * (long) Math.pow(Math.pow(2, 8), byteNum);
private static AddressRange parseRange(String range) {
    String[] parts = range.split("-");
    if (parts.length > 2) {
      throw new IllegalArgumentException("invalid range: "" + range + """);
    long start = parseAddress(parts[0].trim());
    long end = parts.length == 1 ? start : parseAddress(parts[1].trim());
    return new AddressRange(start, end);
public static AddressRange[] parseRanges(String ranges) {
    String[] parts = ranges.split(",");
    AddressRange[] addressRanges = new AddressRange[parts.length];
    for (int i = 0, n = parts.length; i < n; i++) {
      addressRanges[ i ] = parseRange(parts[ i ].trim());
    return addressRanges;

Similar Messages

I cannot unlock the lock on administrator account

Despite beeing logged into administrator account I can't unlock the lock when I go to System Preferences>Accounts , Time Machine, etc. Problem started since I lost my password. I managed to login into my account by logging as a guest and changing password for my own account (strange, but in fact it is possible to do that). I tried many solutions, but none worked (e.g. I set new account with administrator rights, but that one also is not allowed to unlock the lock).
I hope there is a proper solution. I need my Time machine working back

mikolajjj wrote:
Yep, I tried that too As I wrote, on the new administrator account I also cannot unlock the lock.
Why do you think should I take my Mac to Apple Store? Does it seems to you as a hardware problem? Or do they have some tricky ways to undo everything?
Acctually I found kind of a tricky way on a web, but I follow its steps as a monkey so again with no succes. These are unix commands to abstract for me. Do you understand the logic? Do you think it might help with my problem?
Or maybe I can login as root (somehow) and that could let me change password of my account?
I understand that all the usual methods have failed for you, even though they work everytime for me, that being said there are only 2 reasons for this, there is something else wrong with your Mac or you are not able to type the commands as needed (I am not choosing which, just stating the obvious).
Either way you now need hands on help, I do not advise tampering with the machine as the Root User, mistakes in Root mode will certainly make things worse.

Domain Administrator account being locked up by PDC

Hi everyone,
My PDC is locking up my domain administrator (administrateur in french) account.
System event logs :
The SAM database was unable to lockout the account of Administrateur due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
consider resetting the password of the account mentioned above.
Level : Error
Source : Directory-Services-SAM
Event ID : 12294
Computer : Contoso-PDC
User : System
There is absolutely no events in the security events log, not a single "Audit Failure" event for the "administrateur" account.
I tried to change the name of the domain administrator account from "administrateur" to "administrator".
Now there is "Audit failure" events poping up in the security event logs.
Once again the Source Workstation is the PDC. I guess those events are there because it receive credential validation for an account who doesn't exist anymore since it have been renamed in "Administrator".
Here is the detail log :
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrateur
Account Domain: CONTOSO
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: CONTOSO-PDC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
On the PDC i checked :
Services : None of them are started with the "administrateur" account
Network Share : There is no network share ...
Task Scheduler : None of the tasks are launch with the "administrateur" account.
And the logon type (3:network) seem to indicate that the login comes from an other computer but i have nothing to look for, not a single IP.
Any ideas?
ps : Sorry for the probable english mistakes :(

Hi,
Thanks for you answers.
San4wish :
Lockout tool confirm that the domain administrator account is locked on my PDC. I didn't run eventcomb but i though it only helped parsing security event logs which i did "manually". Anyway i'll try eventcomb after this week end.
About the conficker worm : I looked into it and this worm was exploiting a vulnerability in the server service. It have been patched by MS08-067 (KB958644) and this kb isn't available for Windows 2008 R2 and Windwos 2012 so i guess Windows 2008 R2 have
fixed this vulnerabilty.
So i doubt its a conficker type worm.
Also i gave the PDC role to another DC (let's call him DC2) and now DC2 is locking the administrator account so it seems that the computer locking the account is doing it through the network and it's not something executed on the DCs.

How can I unlock Administrator Account?

Good day everyone,
I have installed an instant of NW200S sneak preview in my local XP machine. Accidentally I have locked the administrator account by trying a couple of times to login into EP with a wrong password.
Is there anyway to unlock the administrator account?
Tawfeeq Baloush

Hi Tawfeeq,
in table USR02 set field UFLAG to 0 for this user.
Regards,
Pieter

After trying to change permissions on my computer so others on my network can access files, my external Hard Drive has a lock on it and I can't access files. I've tried repairing permissions, logging in under another Administrator account, using Terminal

After trying to change permissions on my computer so others on my network can grab files, my external Hard Drive has a lock on it and I can't access files. I've tried repairing permissions, logging in under another Administrator account, using Terminal to fix the problem, downloaded BatChmod but nothing works… Any other suggestions? I have an Imac running OS10.6.8.

There is suddenly a lock icon on my external backup drive!
Custom Permissions

ABAP+JAVA System Copy -- Administrator account getting locked

Hi,
I am in the process of doing system copy of my portal to a new server. As per the SAP instructions, I had updated the JDK and SP levels of my EP to the latest supported ones.
Now when i am doing JAVA Add-in Export of my system, SAPinst is throwing error that --
"Error connecting to http://Entportal:50000/sap/monitoring/SystemInfoServlet. The provided user data might be incorrect or user might be locked.:
and when I check the "administrator" user account, it is getting locked. Even though I manually unlock it and update the password is secure storage, still when I run SAPinst, again it is getting locked. I have also chnged the path of my temporary directory to c:\temp which has no spacees in it, according to SAP instructions.
I have raised the issue through OSS, but still, in the mean time can sombody help me?
Regards,
Mandar

Hi Akshay,
I am not using any ID. SAPInst itself is trying to access systeminformationservlet using administrator account. at this stage it is failing to get the correct password and thats why my administrator account is getting locked.
Regards,
Mandar.

Administrator account locked/password was changed

Hi All,
Administrator account locked/password was changed. Is there any way to see the logs to see when this happened or by whom?
Any way to lock this down then it can't be changed by another administrator account? Limit it so it can only be seen/changed by some people like A or B?
Regards
Trilochan

Hi,
I am able to see the log but we are having trouble reading them. They are not very straightforward i got some inforamtion about what a log contains in following link but the format is different from here.
http://help.sap.com/saphelp_nw04/helpdata/en/03/37dc4c25e4344db2935f0d502af295/frameset.htm
We are getting the log in this format so not able to find when and by whom.
#1.5 #0017A438CB3C00240000023400001F1C00047F7D19D6AFB9#1266075187981#/System/Security/Usermanagement#sap.com/irj#com.sap.security.core.persistence#Guest#0####15e3ebd018b511df8b390017a438cb3c#SAPEngine_Application_Thread[impl:3]_0##0#0#Warning#1#com.sap.security.core.persistence#Java###Authentication failed on LDAP server: back end message #1#[LDAP: error code 49 - Invalid Credentials]#
#1.5 #0017A438CB3C00240000023500001F1C00047F7D19D79CBB#1266075188044#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0####15e3ebd018b511df8b390017a438cb3c#SAPEngine_Application_Thread[impl:3]_0##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | LOGIN.ERROR | NONE = null | | Login Method=[default], UserID=[jb99532], IP Address=[64.25.25.7], Reason=[Authentication did not succeed.]#
#1.5 #0017A438CB3C001D000001E700001F1C00047F7D1D2D5575#1266075243998#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0####37476fe018b511dfc25b0017a438cb3c#SAPEngine_Application_Thread[impl:3]_16##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest | USERACCOUNT.MODIFY | USERACCOUNT = UACC.CORP_LDAP.066277700 | | SET_ATTRIBUTE: lastpasswordchange=[0001266075243920], SET_ATTRIBUTE: passwordchangerequired=[false]#
Regards
Trilochan

Administrator Account locked

hi,
in our Portal the Administrator Account gets locked every 2-3 hours. we also change the password in the secure store.
is there a chance to find out, why? a central log or something? i can't analyze every log, because we have 7 instances with each 4 servers.

Hi Andre
If you check the security logs in j2ee/cluster/server<n>/log/system, when the user gets locked you will see log entries from the failed authentication attempt, and more information including hopefully the IP address of the machine where the request comes from, and the login module stack used during the authentication. Maybe this information will help isolate the origin of the invalid administrator password.
An alternative approach, which is dependent on the version of the AS Java is to activate some tracing.
There is a new trace location available for problems such as this - com.sap.security.core.locking
You can get the info from this location by adding it to the Log Configurator service in the Visual Administrator if it is available, and adjusting the severity accordingly. Then examine the defaultTraces when the user gets locked
However it is easier in this case to use the web diagtool. Follow note 1045019 to deploy the web diagtool, if not done before
Then to start the trace, follow example 2 and add just com.sap.security.core.locking and start the trace. The potential problem here is that the diagtool will be running for 2-3 hours while you wait for the user to be locked, however hopefully by just tracing location com.sap.security.core.locking the resultant log will not be too large. The diagtool will capture traces from all servers in a system
If the location is not available in the diagtool then perhaps it is not available for your system SP
When the user is locked, hopefully the trace will give you information about the origin IP, the stack trace and the auth stack used

Built-in Domain Administrator Account Repeated Locks

This account was disabled years ago and is not used. However, event 4740 are regularly generated, It shows the calling computer name as one of our servers. So, I logged into the that server and look in the local security event log and there
are no references to account lockouts at the time the 4740s are generated on the domain controllers.
I checked for services running on the server using administrator credentials and I checked for scheduled tasks using administrator credentials and I don't see anything on the server listed as caller computer.
I renamed the "User logon name" for this account to something different so that would not longer be a match if something is try to authenticate using the logon name of "administrator." However, this has not helped. The account
still generates the 4740.
I checked the domain "Administrator" account again today and it was no longer disabled. So, I disabled it again and will see if it still gets locked out again in the next 24 hours.
How can an account with the user id changed still get locked out? It seems very strange that the account can be locked out when the user name no longer matches anything that could have ever had that user id saved.
What can be done to fix this issue?

hi,
If possible please do the following steps.
Note: here I have taken user account name as User1
1.Using ADSIEDIT changed the value of UserAccountControl attribute of the User1 account to 66082(numerical) i.e. 0x10222(in hex) and disabled it which is the sum of the following attributes:
a. ACCOUNTDISABLE; PASSWD_NOTREQD; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
b.
It’s current value was 0x10202 aka 66050 in dec (I believe this implies ACCOUNTDISABLE | NORMAL_ACCOUNT | DONT_EXPIRE_PASSWD)
2.   Then for the account (in ADUC) do the following:
a. Unchecked the "user cannot change password" -> OK
b. Right-clicked on the
‘user1’ account and selected reset password and kept it blank and clicked OK
i.
This step is to set a NULL password for the User1 account and keep it disabled
c.
Right-clicked on the User1 account and checked the "user cannot change password" again
https://support.microsoft.com/en-us/kb/305144?wa=wsignin1.0

Administrator Account locked on Netweaver 7.1 Java Stack

Hello all,
I try to find a possibility how I can unlock the administrator account in Netweaver Java stack 7.1
We do not have a double stack ABAP / JAVA installed so the solution with the SAP * falls off, I think
What should I do so I can unlock the administrator account in Java ?
Thanks in advance
Best regards
Vito

Hi Prabhat,
I have found a link which described my problem
the emergency user is actually the SAP* User
http://help.sap.com/saphelp_nwce711/helpdata/en/0b/50ad3e1d1edc61e10000000a114084/frameset.htm
Thanks
Best regards
Vito
Edited by: Vito Cecere on Jul 13, 2011 1:27 PM

Unable to log into administrator account after software update

I've done a clean installation of server 10.5 on a G5 Xserve using the simplified "workgroup" setting. Created a named administrator account as part of the setup. Once passed the initial setup screens I did a software update to 10.5.8. After reboot I'm locked out of the named administrator account. I can still log in as root and localadmin using the same password. However, I don't see any accounts listed under the Users tab in Server Preferences. I've done nothing to this system other than answer a few standard questions during install and then update software.
This result is repeatable as I tried simply reinstalling the server OS figuring I must have done something wrong the first time. In fact the reason I'm reinstalling in the first place is related to this problem. Something caused all my admin and user accounts to go away on the original server setup. Couldn't figure it out so I decided to do a fresh install. I realize now it was likely related to a software update.
When logged in as root and using Console I see errors like "'No LDAP Master' while processing a command of type: 'readSettings' in plug-in: 'servermgr_accounts'". I'm a newbie to the server world and I'm not sure what that means.
There should be nothing remotely fancy going on here. Simply a stand alone server getting a fixed IP from a router. A single admin account, no directory services. Before the software update everything seemed fine.
Any help would be appreciated.

Hi,
I have same issue and i have resolve so.
login as root and password
Verify if you have in /Users/xyz : your admin home folder
if yes, create a new user with : Preference System, Account, create new user
set as Administrator, give same name as your /Users/xyz home folder
then click OK, a message will appeart that the folder exist, click YES.
that's resolve my issue

How do I enable the administrator account for FTP use.

I utilized an FTP enabler software to enable FTP on my Mac. And I can FTP into the subaccounts on my Mac but I can not do so with the Main administrator account (mine). So I went into terminal to test the Main Administrator, I get the following message. I'm lost as to what to do to enable FTP with the Administrator account.
Name (192.168.1.9:Administrator): Administrator
331 User Administrator accepted, provide password.
Password:
530 User Administrator may not use FTP.
ftp: Login failed
What I'm trying to do is to be able to scan documents from my Xerox Printer to all the Macs in our home. I have set up my wife's and daughter's Macs to allow for scanning documents to their accounts on their Macs. They each are sub accounts as I am the Administrator for their Macs. Additionallly, I created a subaccount on my Mac and I'm able to scan to it as well. But when I try to scan to my Administrator account, it won't work.
Any help would be appreciated. I'm using Mountain Lion on all 3 Macs with the latest version. I enabled FTP on all 3 Macs.

Thanks for your suggestions but it was more complicated than what you suggested. I was finally able to find a guy at xerox that was able to resolve the issue. I believe it involved changing some settings deep inside the bowels of the programming code much like the old days of using MS DOS to change internal settings on a PC. I watched him do it on my screen and it involved deleting the administrator account from being locked down within the O/S.
Regardless, thanks for the suggestion.

How do I create a new administrator account?

I want to create a new administrator account and then move everythng (files, etc.) over to the new account. Then I would delete the old account.
How do I do that? I am running 10.7.5 on a Macbook Pro.
Thanks,
Catherine

Open System Preferences / Users & Groups with your current admin account.
Click the Lock icon (lower left) to unlock Users & Groups.
Click the "+" sign to add a new user. Select Administrator from the dropdown user type.
Enter the new user's name and password.
You will have to give yourself access to the folders of the new User, otherwise you can't copy files to them. You may also have to change permissions on each file in your folders so your new user has Read/Write access.

MDT 2012 - Litetouch deploy windows 8 with different administrator account

I have created and captured a custom image of Windows 8 using MDT2012 update 1 and Windows ADK (without SCCM). In the image, I have set an account called DeployUser, with password XXX, adding it to the Administrators group, and I have disabled the User
Account Control.
I did this because the Administrator account is renamed from GPO and the password is changed every 30 days (for security reasons, the password is not disclosed to any IT support).
Next, I created a TS to deploy this image, adding the installation of some software.
In the Unattend.xml, I also added DeployUser to perform the autologon.
After the first logon with DeployUser, the TS stops and does not return any error message.
If I manually run C: \ ProgramData \ Microsoft \ Windows \ Start Menu \ Programs \ Start-up \ LiteTouch.lnk nothing happens, however, if I run it with "Run as Administrator", the TS continues normally.
Somebody who knows a solution for this?

I believe MDT LiteTouch deployments only recognize the Administrator account name for processing task sequences.
Are you joining the domain during an MDT Litetouch deployment? If so, you may want to delay joining to a domain or GPO processing. Take a look at these recommendations:
Domain Policies that break MDT 2010
It may also be possible to disable GPO processing until the end of the taks sequence via a reghack or disabling a service. Take a look at this:
How to Disable/Enable Group Policy
BTW, the task sequence engine in ConfigMgr prevents GPO processing during an OSD.
V/R, Darrick West - Senior Systems Engineer, ConfigMgr: OSD

Set Password Policy For System Administrator Account in UCCE Servers

Hi All,
We want to setup a password policy ( expires in 30 days) for the local administrator account in all our UCCE servers.
We found that the all the UCCE services are running in local system account except logger and distributor( these services are running in domain user account).
Is it a supported configuration ? Are there any impacts with this setting ?
Thanks a lot in advance!
Thanks and Regards,
Thammaya

Hi,
what is the UCCE (~ ICM) version? Is there OS hardening applied?
By the way, yes, if you mean the local "administrator" account, you can do whatever you want to do with it, provided you don't lock yourself out - this should not happen, naturally, having all ICM servers in the domain and you can always use the domain admin (or a user belonging to the domain admins group).
By the way, I don't really see the meaning of having a local administrator account being enabled. :-)
G.

Prevent locking of Administrator account

Similar Messages

Maybe you are looking for