Resetting a lost administrator password
Periodically a situation arises where your FortiMail unit needs to be accessed or the administrator account’s password needs to be changed but no one with the existing password is available. If physical access to the device is possible and with a few other tools, the password can be reset.
This procedure will require the reboot of the FortiMail unit. |
FortiMail versions 6.0.8 and 6.2.3 introduce a new CLI command allowing you to enable or disable administrator password recovery:
config system global
set admin-maintainer {enable | disable}
end
The following procedure requires admin-maintainer
to be set to enable
.
Administrators with physical access to a FortiMail unit can use a console cable and the maintainer administrator account to log into the CLI. The maintainer account allows you to log into a FortiMail unit if you have lost all administrator passwords.
Once logged into the FortiMail unit with the maintainer account, you can reset the passwords of super-admin profile accounts, or enter the execute factoryreset
command to return the FortiMail unit to its default configuration. This can be useful if the admin administrator account was deleted.
The If this is an unacceptable risk to your specific environment (especially where the hardware is not physically secured), you can disable the command. However, if the feature is disabled, and the password gets lost without having someone else that can log in as a super-admin, you will have no options to restore access. |
Requirements:
- Console cable
- Terminal software such as Putty.exe (Windows) or Terminal (MacOS)
- Serial number of the FortiGate device