March 28, 2015

Restore Access to an Administrator Account

By: Craig Taylor
March 28, 2015


For additional security, one of the first things I do when beginning work on a new Sitecore site is to remove the 'standard' "admin\b" account and instead create a new admin account with a different name (and password, of course!).  After doing this recently, we ran into a problem when the password for the new account was . . . lost.

Existing Functionality

There are some Sitecore tools designed to help manage accounts and access when the administrator user is unable to log in.  Unfortunately, the tools both assume that the user you are using is the 'standard' "admin" account and also that you haven't lost the password, but instead have been locked out of the account.  See John West's post regarding some common ways to get back in.

As John mentions, when the administrator password has been lost, you can simply log in with another account with administrator access in order to reset the password of the first account.  In our case, we only had one administrator account and had no way to get in otherwise.

The solution is to modify an existing tool.

Modify the "unlock_admin.aspx" Page

The "unlock_admin.aspx" page can be found at "/sitecore/admin/unlock_admin.aspx"  Unsurprisingly, the purpose of this page is to unlock the "sitecore\admin" account.  What we need to do is use this page to grab our admin user and reset the password.  The existing code only unlocks the locked admin account:

Membership.GetUser("sitecore\\admin").UnlockUser();
You can instead replace this with code that will set a password on any account in Sitecore:

MembershipUser mu = Membership.GetUser("sitecore\\[Your Administrator Account]");
mu.ChangePassword(mu.ResetPassword(), "[Your New Password]");

This code takes advantage of the .NET membership provider in order to change the password of the account specified.  Enable the button, view the page in the browser, click the button and you're done!  The password is changed and you can now log back in!

Just try not to lose the password this time.

Note: As John mentions in his post, always remember to go back and disable the 'unlock' button.  Also, while I have provided a solution that resets an administrator account password, please don't deploy this file.  It should only be used temporarily to get back into Sitecore.

1 comment:

  1. It may be worth noting that Sitecore does not appear to protect the entire /sitecore/admin subdirectory, or this would not be possible (you would need a Sitecore username and password to access the unlock page). It appears to be the responsibility of each page in this subdirectory to protect itself as appropriate. For example, ShowConfig.aspx inherits from a base class that defines a CheckSecurity() method, and explicitly invokes that method.

    ReplyDelete