---
title: Configuring administrator accounts
description: An administrator account is any account in the user backend that is assigned one or more privileges or is given access to read and write operations beyond that of a normal user entry.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_config_admin_accounts
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_config_admin_accounts.html
revdate: September 13, 2023
page_aliases: ["pd_ds_setup_single_admin_account.adoc", "pd_ds_change_admin_password.adoc", "pd_ds_setup_admin_group.adoc"]
section_ids:
  setup_single_admin: Setting up a single administrator account
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
  example-3: Example:
  example-4: Example:
  example-5: Example:
  example-6: Example:
  result: Result:
  example-7: Example:
  example-8: Example:
  changing-the-administrator-password: Changing the administrator password
  about-this-task-2: About this task
  steps-2: Steps
  example-9: Example:
  example-10: Example:
  example-11: Example:
  create_admin_group: Setting up an administrator group
  about-this-task-3: About this task
  steps-3: Steps
  example-12: Example:
  example-13: Example:
  example-14: Example:
  example-15: Example:
  example-16: Example:
  example-17: Example:
  result-2: Result:
  example-18: Example:
---

# Configuring administrator accounts

An administrator account is any account in the user backend that is assigned one or more privileges or is given access to read and write operations beyond that of a normal user entry.

The privilege mechanism is the same as that used for root distinguished name (DN) accounts and allows individual privileges to be assigned to an administrator entry.

Typically, administrator user entries are controlled by access control evaluation to limit access to the entire set of data in the directory information tree (DIT). You can grant fine-grained read and write access using the access control definitions available through the `aci` attribute. Administrator entries reside in the backend configuration, for example, `uid=admin,dc=example,dc=com`, and are replicated between servers in a replication topology.

The following examples show how to configure administrator accounts:

* The first procedure shows how to set up a single, generic `uid=admin,dc=example,dc=com` account with limited privileges.

  |   |                                                                                                        |
  | - | ------------------------------------------------------------------------------------------------------ |
  |   | If you generated sample data at install, you can view an example `uid=admin` entry using `ldapsearch`. |

* The second example shows a more realistic example where the user is part of the administrators group.

|   |                                                                                         |
| - | --------------------------------------------------------------------------------------- |
|   | Both examples are based on a simple DIT. Actual deployment cases depend on your schema. |

## Setting up a single administrator account

### About this task

To create an example of a single, generic administrator account:

### Steps

1. Create an LDIF file with an example administrator entry.

   #### Example:

   ```
   dn: uid=admin,dc=example,dc=com
   objectClass: person
   objectClass: inetOrgPerson
   objectClass: organizationalPerson
   objectClass: top
   givenName: Admin
   uid: admin
   cn: Admin User
   sn: User
   userPassword: password
   ```

2. To add the entry, use the `ldapmodify` tool.

   #### Example:

   ```shell
   $ bin/ldapmodify --defaultAdd --filename admin.ldif
   ```

3. To add the access control instruction (ACI) to the root suffix or base DN to give full access to the new administrator, create another LDIF file.

   |   |                                                                                                                                                                                                                              |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The ACI grants full access to all user attributes, but not to operational attributes. To grant access to operational attributes as well as user attributes, use `(targetattr = "*\|\|+")` in the access control instruction. |

   #### Example:

   ```
   dn: dc=example,dc=com
   changetype: modify
   add: aci
   aci: (targetattr = "*")
     (version 3.0; acl "Grant full access for the admin user";
       allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)
   ```

4. To add the entry, use the `ldapmodify` tool.

   #### Example:

   ```shell
   $ bin/ldapmodify --filename admin.ldif
   ```

5. To verify the additions, use the `ldapsearch` tool.

   #### Example:

   In the following example, the first command searches for the entry that contains `uid=Admin` and returns it if the search is successful. The second command searches for the base DN and returns only those operational attributes, including ACIs, associated with the entry.

   ```shell
   $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=admin)"

   $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope base "(objectclass=*)" "+"
   ```

6. Add specific privileges to the administrator account, then to process the modify operation press **CTRL-D**.

   #### Example:

   For this example, add the `password-reset` privilege to the administrator account from the command line.

   ```shell
   $ bin/ldapmodify
   dn: uid=admin,dc=example,dc=com
   changetype: modify
   add: ds-privilege-name
   ds-privilege-name: password-reset
   ```

   #### Result:

   ```
   Processing MODIFY request for uid=admin,dc=example,dc=com
   MODIFY operation successful for DN uid=admin,dc=example,dc=com
   ```

7. Assign a password policy for the administrator account.

   #### Example:

   Create an `Admin Password Policy`, then add the password policy to the account.

   ```shell
   $ bin/dsconfig create-password-policy \
     --policy-name "Admin Password Policy" \
     --set "description:Password policy for administrators" \
     --set password-attribute:userpassword \
     --set "default-password-storage-scheme:Salted SHA-256" \
     --set password-change-requires-current-password:true \
     --set force-change-on-reset:true \
     --set "max-password-age:25w 5d" \
     --set grace-login-count:3 \
     --no-prompt
   ```

8. To apply the password policy to the account, run the `ldapmodify` command.

   #### Example:

   Execute the `ldapmodify` command with a bind DN that has sufficient rights, such as a root DN, as in the following example.

   ```shell
   $ bin/ldapmodify
   dn: uid=admin,dc=example,dc=com
   changetype: modify
   add: ds-pwp-password-policy-dn
   ds-pwp-password-policy-dn: cn=Admin Password Policy,cn=Password Policies,cn=config
   ```

## Changing the administrator password

### About this task

Root users are governed by the root password policy and by default, their passwords never expire. To change a root user password, use the `ldappasswordmodify` tool.

### Steps

1. Open a text editor and create a text file containing the new password.

   #### Example:

   For this example, name the file `rootuser.txt`.

   ```shell
   $ echo password > rootuser.txt
   ```

2. To change the root user's password, run `ldappasswordmodify`.

   #### Example:

   ```shell
   $ bin/ldappasswordmodify --port 1389 --bindDN "cn=Directory Manager"\
     --bindPassword secret --newPasswordFile rootuser.txt
   ```

3. Remove the text file.

   #### Example:

   ```shell
   $ rm rootuser.txt
   ```

## Setting up an administrator group

### About this task

The following example shows how to set up a group of administrators that have access rights to the whole PingDirectory server.

|   |                                                                              |
| - | ---------------------------------------------------------------------------- |
|   | The example uses a static group using the `GroupOfUniqueNames` object class. |

### Steps

1. Create an LDIF file with an example administrator group.

   #### Example:

   For this example, name the file `admin-group.ldif`

   ```
   dn: ou=Groups,dc=example,dc=com
   objectClass: organizationalunit
   objectClass: top
   ou: Groups

   dn: cn=Dir Admins,ou=Groups,dc=example,dc=com
   objectClass: groupofuniquenames
   objectClass: top
   uniqueMember: uid=user.0, ou=People, dc=example,dc=com
   uniqueMember: uid=user.1, ou=People, dc=example,dc=com
   cn: Dir Admins
   ou: Groups
   ```

2. To add the entries, use the `ldapmodify` tool.

   #### Example:

   ```shell
   $ bin/ldapmodify --defaultAdd --filename admin-group.ldif
   ```

3. To add the ACI to the root suffix or base DN to provide full access to the PingDirectory server to the new administrator, create another LDIF file.

   #### Example:

   For this example, name the file `admin-aci.ldif`.

   ```
   dn: dc=example,dc=com
   changetype: modify
   add: aci
   aci: (target="ldap:///dc=example,dc=com")
     (targetattr != "aci")
     (version 3.0; acl "allow all Admin group";
       allow(all) groupdn = "ldap:///cn=Dir Admins,ou=Groups,dc=example,dc=com";)
   ```

4. To add the ACI, use the `ldapmodify` tool.

   #### Example:

   ```shell
   $ bin/ldapmodify --filename admin-aci.ldif
   ```

5. To verify the additions, use the `ldapsearch` tool.

   #### Example:

   In the following example, the first command searches for the entry that contains `cn=Dir Admins` and returns it if the search is successful. The second command searches for the base DN and returns only those operational attributes, including ACIs, associated with the entry.

   ```shell
   $ bin/ldapsearch --baseDN dc=example,dc=com "(cn=Dir Admins)"

   $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope base \
     "(objectclass=*)" "+"
   ```

6. To add specific privileges to each administrator account, use an LDIF file.

   #### Example:

   For this example, name the file `admin-priv.ldif`.

   For this example, add the `password-reset` privilege to the `user.0` administrator account from the command line. To add the privilege, use the `ldapmodify` tool. Repeat the process for the other administrators configured in the administrator group.

   ```
   dn: uid=user.0,ou=People,dc=example,dc=com
   changetype: modify
   add: ds-privilege-name
   ds-privilege-name: password-reset

   $ bin/ldapmodify --filename admin-priv.ldif
   ```

   #### Result:

   ```
   Processing MODIFY request for uid=user.0,dc=example,dc=com
   MODIFY operation successful for DN uid=user.0,dc=example,dc=com
   ```

7. To assign a password policy for the administrator account, use an LDIF file. Save the file as `admin-pwd-policy.ldif`.

   #### Example:

   For example, create an `Admin Password Policy`, then add the password policy to the account. To apply the password policy to the account, use the `ldapmodify` tool.

   ```
   dn: uid=user.0,dc=example,dc=com
   changetype: modify
   add: ds-pwp-password-policy-dn
   ds-pwp-password-policy-dn: cn=Admin Password Policy,cn=Password Policies,cn=config

   $ bin/ldapmodify --filename admin-pwd-policy.ldif
   ```