Restoring Administrative Access to the Sitecore ASP.NET CMS

This blog post lists various approaches that you can use to restore administrative access to a solution based on the Sitecore ASP.NET web Content Management System (CMS).

You can lose administrative access to a Sitecore system in a number of ways (I've seen this issue at least twice just in the last two weeks). You can:

  • Enter the wrong password for an administrator too many times, locking that user out of the system.
  • Forget the username of the administrator.
  • Forget the password for the administrator.
  • Delete the administrator.

Depending on the specific circumstances, you have an number of options:

  • Use the /sitecore/login/passwordrecovery.aspx to retrieve a lost password. This page does not require authentication, but does require the user to have a valid email address configured, the Login.DisablePasswordRecovery setting in the Web.config file to be false (it is false by default), and an email server configuration.
  • Use the /sitecore/admin/unlock_admin.aspx page to unlock the administrator. You do not need to authenticate to access this page, but you do need to edit it to set the enableUnlockButton variable to true. By default this page unlocks the default sitecore\admin user, but you can update sitecore\\admin in this file to specify a different user. Remember to revert these changes afterwards.
  • Log in to Sitecore as a different user that is either a Sitecore administrator or a user with appropriate permissions, and use the User Manager to determine the username or reset the password of the administrator, or create another administrator.
  • Write scripts (.aspx files) to create users, change passwords for existing users, make existing users administrators, or otherwise. I do not want to provide sample scripts in public, but the Sitecore Security API Cookbook linked at the bottom of this page should contain the necessary information. You can also contact Sitecore support to request such scripts (for the fastest response, reference case #377855 if you do). Either way, remember to delete the scripts afterwards.
  • Restore the Core database from the appropriate Sitecore distributive. This could work for some development environments, but would remove any users and roles created since installation, as well as any modifications made previously to items in the Core database.

Because Sitecore treats user names and a role name as unique identifiers and references users and roles by those names, recreating a user should restore the access rights for that user completely, though some aspects of that user’s profile will have been lost.

If you create a Sitecore administrator user, be sure to create that user in the sitecore security domain. For example, instead of creating a user named admin, create a sitecore\admin user.

Of course if you integrate Sitecore with Microsoft Active Directory, you can use the tools provided by that platform to manage users and passwords.