How to recover if you are locked out from administering SecureLogin in MMC or iManager

  • 7940130
  • 19-Aug-2009
  • 20-Aug-2015


Novell SecureLogin
NetIQ SecureLogin
All Versions
Active Directory



SecureLogin Administrator is locked out

NSL admin can't manage SecureLogin

User logged on as CN=Administrator,CN=Users,DC=ACME,DC=Com and set the following preferences to ""No"" at the Organization Unit CN=Users,DC=ACME,DC=Com.

  • Allow users to view and change preferences = No
  • Allow users to view and modify application definitions = No

Now they can’t administer SecureLogin and appear to be locked out of the management tools.

When they attempt to access the SecureLogin SSO tab under the properties of an OU, the following error appears:

SecureLogin Configuration Access Denied You do not have rights to access SecureLogin configuration



By setting these options to No, all users in that container and below, including Administrator whose user object also resides there, will be locked out from viewing and changing preferences and application definitions (unless user specific settings are made first as explained below).


Depending on which container the settings were applied to you may be able either logon as another user or create another OU and another user object at or above the level the setting was made. You can then grant administrative rights for the user you created by setting the above settings to Yes. Once this has been done, you can either set the option back to Yes on the OU or specifically on the user object desired e.g. CN=Administrator.

Any changes you make specifically on a user object override changes you make on OUs. i.e. In case of conflicting settings, User settings apply. CN=Administrator will then be able to administer SecureLogin. If you can’t logon as another user or create another user with administrative rights, contact Technical Support, who can help solve the problem.

Note: Before setting these preferences to No at the OU level to apply to all users in that OU, you should first set preferences to enable SSO Administrators and the user you are logged on as to manage SecureLogin.

For example, you should NOT set the options to ""Allow users to view and change preferences"" and ""Allow users to view and modify application definitions"" to No or you will prevent ALL users in the Users container from administering SecureLogin (which is what this article addresses).

To prevent this from occurring, first grant the ability to view and change prefereces, view and modify application definitions etc. via the SecureLogin tab under the properties of the SSO administrator’s user object (e.g. CN=Administrator).

Once you have done this, you can then turn them off at the container level and the user specific settings will apply and you will be able to perform SecureLogin administration with the Administrator user, while all other users will be locked down as desired.