Symptoms

We checked the AD membership for the admin user ksxxxx, how is only member of AD 0. We logged in as default admin user with AD membership 0-255 and enabled the root user successful. After FOS upgrade, the root account was disabled. Customer tries to enable root account and got an error message: SWxxx:admin> userconfig --change root -e yes Cannot manage the target account due to conflicting AD permissions

Cause

SWxxx:admin> userconfig --show -a Account name: kstxxxx Description: Kurt Sxxxx Enabled: Yes Password Last Change Date: Fri Nov 2 2018 (UTC) Password Expiration Date: Not Applicable (UTC) Locked: No Role: admin AD membership: 0 Home AD: 0 Day Time Access: N/A To enable root account, the account must be AD Membership 0-255 witch is default for admin account that is: Account name: admin Description: Administrator Enabled: Yes Password Last Change Date: Mon Jan 28 2019 (UTC) Password Expiration Date: Not Applicable (UTC) Locked: No Role: admin AD membership: 0-255 Home AD: 0 Day Time Access: N/A

Resolution

A user must have a role of admin and be a physical fabric administrator in order to change the enable the root account with "userconfig" command. A physical fabric administrator is a member of all ADs as shown below from the output of "userconfig --show":AD membership: 0-255 In this case, the user had only AD membership to AD 0: SW222:admin> userconfig --show -a Account name: kstxxxx AD membership: 0

Support Cases