Reset Administrator Password and Unlock Administrator User Account

Available Languages

Download Options

  • PDF     (29.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (83.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (69.5 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 1, 2026
Document ID:117866

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to reset your lost administrator account password for an Email Security Appliance, Security Management Appliance, or WSA.

Background Information

This document applies to both hardware-based and virtual-based AsyncOS appliances. Passwords are reset for Email Security Appliance (ESA), Security Management Appliance (SMA) and Web Security Appliance (WSA).

Reset Your Administrator Password

The password for the admin account of an appliance can only be reset via the serial console, using a temporary password Cisco Technical Assistance Center (TAC) can generate. Complete these steps in order to reset your administrator (admin) password on your appliance:

  1. Contact Cisco Customer Support for a temporary admin password.

    Note: You must provide the full serial number of the appliance in your request or case notes.

  2. When you receive the temporary admin password:

    • For hardware-based appliances, access the appliance via a direct serial connection:

      Bits per second: 9600
      Data bits: 8
      Parity: None
      Stop bits: 1
      Flow control: Hardware
    • For virtual-based appliances, access the appliance from the ESXi console or another virtual host console.

  3. Log in as the user adminpassword.

    1. Enter the temporary admin password that you received from the Cisco Customer Support Engineer and press Return.

    2. Enter the new password for the admin user.

      AsyncOS myesa.local (ttyv0)

      login: adminpassword
      Password:  <<<WILL REMAIN BLANK AS YOU ENTER IN THE TEMP PASSWORD>>>
      Last login: Fri Feb 6 20:45 from 192.168.0.01
      Copyright (c) 2001-2013, Cisco Systems, Inc.

      AsyncOS 8.5.6 for Cisco C370 build 092
      Welcome to the Cisco C370 Email Security Appliance
      Chaning local password for admin
      New Password:  <<<WILL REMAIN BLANK AS YOU ENTER IN THE NEW PASSWORD>>>
      Retype New Password:  <<<WILL REMAIN BLANK AS YOU ENTER IN THE NEW PASSWORD>>>

      AsyncOS myesa.local (ttyv0)

      login: admin
      Password:  <<<USE NEW PASSWORD AS SET ABOVE>>>

Steps to Unlock the Admin User Account

The admin account can only be unlocked via direct physical access to the appliance. Now that you are logged in via the reset admin account on the appliance, confirm that the admin user has not been locked due to consecutive log in failures. In order to confirm this, enter the userconfig command in the CLI:

note-icon

Note: Newer versions of code, 12.x and later, prompt for an existing administrator role password in order to make edits to users.

> userconfig


Users:
1. admin - "Administrator" (admin) (locked)
2. dlpuser - "DLP User" (dlpeval)

External authentication: Disabled

Choose the operation you want to perform:
- NEW - Create a new account.
- EDIT - Modify an account.
- DELETE - Remove an account.
- POLICY - Change password and account policy settings.
- PASSWORD - Change the password for a user.
- ROLE - Create/modify user roles.
- STATUS - Change the account status.
- EXTERNAL - Configure external authentication.
- DLPTRACKING - Configure DLP tracking privileges.

If the admin user is locked, it is noted with (locked), as shown in the output.

Note: Only the admin account can change the status for the admin user. The admin user cannot be changed by any other local user account, regardless of the account's role on the appliance. Also, as previously mentioned, this must be completed via a serial/console connection.

The only other option is to request that the admin user be unlocked by Cisco Customer Support. This assumes that you have an account that has an administrative role on the appliance and that you are able to log into the CLI or GUI with that account. This option also requires an open remote support tunnel to the appliance.

In order to unlock the admin user, or any other user account in the locked status, enter the userconfig command and proceed from the start menu as shown here:

note-icon

Note: In newer versions of AsyncOS, you can be required to enter your passphrase after you enter the status command. When prompted, use the new password you set in the previous step.

[]> status

Enter the username or number to edit.
[]> 1

This account is locked due to consecutive log-in failures.

Do you want to make this account available? [N]> y

Account admin is now available.

Users:
1. admin - "Administrator" (admin)
2. dlpuser - "DLP User" (dlpeval)

Note: You are not required to commit the appliance configuration when you only change the status for the admin user.

Related Information

Revision History

Revision Publish Date Comments
4.0
01-Jun-2026
Recertification
3.0
18-Nov-2024
Added Background Information section. Updated Title, Introduction, Machine Translation, and Formatting.
2.0
31-Aug-2023
Added notes regarding the requirement to enter the newly reset password when unlocking the account.
1.0
27-Jun-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Robert Sherwin
    Technical Marketing Engineering Technical Leader
  • Alvaro J Gordon-Escobar
    Software Engineering Technical Leader

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products