Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

Modifying User Permissions

Jump to solution

Good afternoon all,

We upgraded our Check Point Management server at the weekend with no problems, well, almost no problems!

Unfortunately we have a superuser account in SmartConsole of an ex-employee and all other accounts being either read only or administrator. 

We would like to escalate the privileges of one of the administrator accounts to be SuperUser however I am struggling to figure out how this can be done.

I have access to Clish and Expert mode but I can't see how to change the passwords of the user accounts using either of these options .... HELP!

0 Kudos
Reply
1 Solution

Accepted Solutions
Collaborator

Which one is your "admin" user? You can use "cpconfig" (for MDS: "mdsconfig") to delete this user and then you can create the "admin" user again and set up the password.

[Expert@mds:0]# mdsconfig


Welcome to Multi-Domain Server Configuration Program
=================================================================
This program will let you re-configure your Multi-Domain Server configuration.


Configuration Options:
----------------------
(1) Leading VIP Interfaces
(2) Licenses
(3) Random Pool
(4) Groups
(5) Certificate's Fingerprint
(6) Administrators
(7) GUI clients
(8) Automatic Start of Multi-Domain Server
(9) P1Shell
(10) Start Multi-Domain Server Password
(11) IPv6 Support for Multi-Domain Server
(12) IPv6 Support for Existing Domain Management Servers

(13) Exit

Enter your choice (1-13): 6

Configuring Administrators...
=============================
Following is a list of the currently defined Administrators
and their Multi-Domain permission levels:

1) user1 Domain Manager
2) user2 Multi-Domain Superuser
3) user3 Domain Manager
4) user4 Domain Manager

5) admin Multi-Domain Superuser

Do you want to add Administrators (y/n) [y] ?

*I used a MDS for example because I am already connected in this. Just an example.

View solution in original post

9 Replies
Participant

you should be able to change the admin password (the default user) using the cpconfig. Try sk56520.

basicaly you have to delete the user called admin and in the same session you have to immediately add again the user admin. Then you can set a new password without knowing the old one.

This user should be able to do anything....

0 Kudos
Reply
Collaborator

Can't you use "#fwm -a" to change this password?

0 Kudos
Reply
Participant

This is not the admin password that I am trying to change. This is a SmartConsole user account. The previous admin was a SuperUser but we no longer have that users password. Is there a way to escalate one of the accounts that has Full-Access to Super User status? See attached image.SmartConsole Permissions and Administrators

0 Kudos
Reply
Collaborator

Which one is your "admin" user? You can use "cpconfig" (for MDS: "mdsconfig") to delete this user and then you can create the "admin" user again and set up the password.

[Expert@mds:0]# mdsconfig


Welcome to Multi-Domain Server Configuration Program
=================================================================
This program will let you re-configure your Multi-Domain Server configuration.


Configuration Options:
----------------------
(1) Leading VIP Interfaces
(2) Licenses
(3) Random Pool
(4) Groups
(5) Certificate's Fingerprint
(6) Administrators
(7) GUI clients
(8) Automatic Start of Multi-Domain Server
(9) P1Shell
(10) Start Multi-Domain Server Password
(11) IPv6 Support for Multi-Domain Server
(12) IPv6 Support for Existing Domain Management Servers

(13) Exit

Enter your choice (1-13): 6

Configuring Administrators...
=============================
Following is a list of the currently defined Administrators
and their Multi-Domain permission levels:

1) user1 Domain Manager
2) user2 Multi-Domain Superuser
3) user3 Domain Manager
4) user4 Domain Manager

5) admin Multi-Domain Superuser

Do you want to add Administrators (y/n) [y] ?

*I used a MDS for example because I am already connected in this. Just an example.

View solution in original post

Champion
Champion

Yep. So long as you have the credentials for the now absent admin.

Otherwise, as long as one of your existing users have permission to edit Gaia config, there was a trick of copy/pasting the non-expert user's password hash instead of the existing one and this should reset your expert-password to the known one.

Than you can proceed changing default user's credentials.

I.e.: 

GW8010> set user admin password-hash $1$BBXc[B`B$i?????????.????????Pp0AM1
GW8010> save config

GW8010> set expert-password-hash $1$UcDP?????????????????????L4wUwiF/
GW8010> save config
GW8010> expert
Enter expert password: NewExpertPassword

0 Kudos
Reply
Participant

I'm not sure if I'm missing something here or if I'm not explaining myself properly so apologies in advance.

I have the admin password and I can log into clish and expert mode however this admin password cannot be used to log into SmartConsole. Only the users listed in the image in my last post can log into SmartConsole (none of them are the user "admin")

0 Kudos
Reply
Collaborator

Open "cpconfig" and go to Administrators, show us the result. Please.

0 Kudos
Reply
Champion
Champion

What is the user name listed in cpconfig?

0 Kudos
Reply
Participant

Sorry guys, I had a bit of a brain fart. Followed the suggestions above and got it sorted.

Thanks to all that responded

0 Kudos
Reply