Unlocking a superuser account

The system allows to unlock or re-enable the superuser account by using both the management GUI and the command-line interface.

If the locked superuser account is required to complete a service or recovery action, the account must be re-enabled. Re-enabling the superuser account is possible under following circumstances:
  1. If there is another user with the Security Administrator role, then that user can unlock the superuser account using the management GUI or the CLI.
  2. If Remote Support Assistance is enabled, then remote support personnel can connect to the system to perform service actions.
  3. If dedicated technician port is available, the system allows to unlock the superuser account using that port. This requires physical access to the system. Connect to the system using the superuser account. The service GUI provides an option to unlock the superuser account, or use the service CLI to run the satask unlocksuperuser command.

Using the management GUI

To unlock or re-enable the superuser account using the management GUI, complete the following steps:
  1. Log in to the management GUI as a user with the Security Administrator role.
  2. Select Access > Users by Group.
  3. Right-click the superuser account under All Users and click Unlock.
  4. Select Settings > Security > Password Policies.
  5. Select Password expiration and account lockout and then deselect Allow locking of the superuser account.
    Note: Deselecting the Allow locking of the superuser account check box prevents both manual and automatic locking of the superuser account. Skip the above step to keep automatic locking of the superuser account enabled if automatic locking is also enabled system-wide.
  6. Click Save.

Using the command-line interface

To unlock or re-enable the superuser account using the command-line interface (CLI), complete the following steps:
  1. Log in to the CLI as a user with the Security Administrator role.
  2. To unlock the superuser account, run the following command:
    svctask chuser -unlock superuser
  3. To disable superuser locking, run the following command
    svctask chsecurity -superuserlocking disable
    Note: Disabling superuser locking prevents both manual and automatic locking of the superuser account. Skip the above step to keep automatic locking of the superuser account enabled if automatic locking is also enabled system-wide.
The following table describes different use cases where the superuser account is locked and the possible recovery actions:
Locked superuser use case Recovery action
Superuser account is locked after specified failed login attempts for a specified lockout time period. Wait for the specified time for the lockout to expire and reattempt log in.
Superuser account is locked after the specified login attempts but an indefinite lockout was selected,
or
superuser account is manually disabled because it is not intended for use.
 Complete one of these tasks to unlock the superuser account:
  • Manually unlock the superuser account that uses another account with the SecurityAdmin user role.
  • Create a remote support assistance request.
  • Use the technician port to access the service assistant GUI.
  • Use a USB to run (satask) commands. For more information, see satask.txt commands.
Superuser account is locked after two person integrity (TPI) is enabled. Complete one of these tasks to unlock the superuser account:
  • Disable TPI.
  • Request remote support assistance.
  • Use the technician port to access the service assistant GUI.