PreviousNext

Restarting the Master Server in Locksmith Mode

The secd -locksmith option starts secd in locksmith mode. This option can be used only on the master replica. In locksmith mode, the principal name that you specify to secd becomes the locksmith principal. As the locksmith principal, you can repair malicious or accidental changes that prevent you from logging in with full registry access privileges.

When you bring up a security server in locksmith mode, secd automatically creates a locksmith account or, if the locksmith account exists, it lets you supply a new password for that account. Once the security server is running, you can log into the locksmith account by using the newly changed password, if you changed it, and access the registry to change the account or policy information that may have prevented you from accessing the registry by using your normal credentials.

In locksmith mode, all principals with valid accounts can log in and operate on the registry with normal access checking. The locksmith principal, however, is granted special access to the registry: no access checking is performed for the authenticated locksmith principal. This means that, as the locksmith principal, you can operate on the registry with full access.

More:

Automatic Changes to the Locksmith Account

Starting a Security Server in Locksmith Mode

Restarting a Security Server in Locksmith Mode