How do I deactivate the default admin account and duplicate their data and settings to another administrator account?

How do I deactivate the default admin account and duplicate their data and settings to another administrator account?

Purpose

Starting from DSM 6.2.4, you may receive a variation of the following DSM desktop notification reminding you to deactivate the default admin account for security considerations:

The default account "admin" is vulnerable to brute-force attacks, which may lead to ransomware attacks. Create another administrator account or sign in with another administrator account and deactivate "admin".

This article provides a step-by-step guide to duplicating the admin's data and settings to another administrator account before you deactivate the admin account.

Environment

DSM 6.2.4 and above.

Resolution

1. Before you start

  • Please note that not all data and settings of the admin account can be duplicated.1 This article only lists items that are suitable for duplication.
  • Please avoid the following operations, otherwise services and packages in DSM may not function normally:
    • Renaming the default admin account.
    • Renaming the home folder of the default admin account (/homes/admin).
  • Create a new administrator account by copying the admin account's settings:2
    1. Sign in to DSM with the default admin account.
    2. Go to the following locations to copy the admin account:
      • For DSM 7.0 and above: Control Panel > User & Group > User tab, select the default admin account, click the downward arrow next to the Create button, and click Copy user.
      • For DSM 6.2 and earlier: Control Panel > User > User tab, select the default admin account, click the downward arrow next to the Create button, and click Copy user.
    3. Fill in the Name, Description, Email, and Password fields for the new administrator and click Next.
    4. Confirm the settings and click Apply.
  • Tick Enable user home service at the following locations to show the data within home folders:
    • For DSM 7.0 and above: Control Panel > User & Group > Advanced > User Home.
    • For DSM 6.2 and earlier: Control Panel > User > Advanced > User Home.

2. Duplicate data and update settings

Open a browser window and sign in to DSM as the new administrator. This window is where you perform the duplication. Then, open a private browser window3 to sign in as the default admin account. This private window is used for reference to view the default admin account settings.

Duplicate the following items from the default admin account to the new administrator account using the first window, unless specified otherwise.

Duplicate Personal settings

Click the person-shaped icon at the upper-right corner of the DSM desktop and go to Personal. Duplicate the settings on these tabs from the admin account:

Duplicate File Station settings1

Launch File Station, duplicate these settings from the admin account:

Duplicate home folder data

  1. Launch File Station, go to admin's home folder (/homes/admin) to select and copy all files and sub-folders, except for the following:
    • .Maildir: This folder is used by Mail Server and contains admin's mail data. Such data cannot be duplicated directly.
    • #recycle: This folder contains the deleted data of the admin account.
    • CloudStation: This folder is used by Cloud Station. Cloud Station is deprecated in DSM 6.2.4 and is replaced by Synology Drive Server.
    • Drive: This folder is used by Synology Drive Server. Refer to Update package settings to transfer the data.4
  2. Go to the new administrator's home folder (/homes/NewAdministrator or /home) and click Action > Paste - Overwrite to duplicate the data.
  3. If the following folders are copied, we recommend re-indexing the folders:
    • music: This folder is used by Personal Library for Audio Station.
      1. Go to Audio Station > Settings > Personal Library.
      2. Tick Enable Personal Library and click Re-index.
    • photo: This folder is used by Personal Photo Station in DSM 6.2.4. If you are using DSM 7.0 and above, you may skip these operations.
      1. Go to Photo Station > Settings and tick Enable Personal Photo Station service.
      2. Go to DSM and click the person-shaped icon at the upper-right corner of the DSM desktop.
      3. Go to Personal> Photo Station, and click Re-index.
    • photos: This folder is used by Synology Photos in DSM 7.0 and above.
      • Go to Synology Photos > Profile > Settings > Advanced and click Re-index.

Update package settings

Package
Solution
Cloud Sync
  1. Refer to this article to remove tasks created by admin.
  2. Create a new task as the new administrator account by duplicating admin's task settings.5
  3. Repeat the steps if there is more than one task.
Hyper Backup
  • If the admin account on your Synology NAS is deactivated, backup tasks created by admin can still be executed by the new administrator. No further action is required.
  • If your Synology NAS has installed Hyper Backup Vault as a backup destination for client devices, refer to For Hyper Backup Vault clients in Section 4.
MailPlus
Sign in to MailPlus as the new administrator account and refer to this article to learn how to fetch email from the admin account to the new administrator account via POP3.
Mail Station
  1. Sign in to Mail Station as the new administrator.
  2. Go to Mail Station > Admin Settings > POP3 Mail Server Settings, tick Allow user to receive emails from external POP3 mail server, and click Save.
  3. Go to Mail Station > Settings > POP3, click + to add a new POP3 account for the admin account.
  4. The email of the admin account will be downloaded to the new administrator account's Inbox (or any folder of your choice).
Note Station
  1. Refer to this article to export the admin's notes in the private browser window.
  2. Refer to this article to import the admin's notes to the new administrator account in the regular browser window.
Shared Folder Sync
  1. If the admin account on your Synology NAS is deactivated, Shared Folder Sync task created by admin can still be run by the new administrator. No further action is required.
  2. Check the Connection List to find out if your Synology NAS is paired with another Synology NAS via Shared Folder Sync. If your Synology NAS has been paired, refer to Section 4.
    • For DSM 7.0 and above: Go to Control Panel > File Services > Advanced > Shared Folder Sync > Connection List.
    • For DSM 6.2 and earlier: Go to Control Panel > Shared Folder Sync > Connection List.
Snapshot Replication
  • If the admin account on your Synology NAS is deactivated, the replication tasks created by admin can still be executed by the new administrator. No further action is required.
  • If the admin account on the remote NAS (the destination server) is deactivated, follow the steps below to edit the replication task.
    1. Go to Snapshot Replication > Replication on your Synology NAS.
    2. Select the replication task and click Action > Edit.
    3. Enter the new administrator account's Username and Password of the remote NAS.
    4. Click OK to apply the new settings.
    5. Click Action > Sync to make sure the replication task works correctly.
Synology Calendar
  1. Refer to this article to export the admin's calendars in the private browser window.
  2. Refer to this article to import the admin's calendars to the new administrator account in the regular browser window.
Synology Drive Server
  1. Update to Synology Drive Server 3.0.1 6
  2. Launch Synology Drive Admin Console > Settings > File Ownership Transfer.
  3. Enter "admin" in the From field, and enter the new administrator account in the To field.
  4. Click Transfer Files to transfer admin's data to the new administrator account.

Update Task Scheduler settings

  1. Go to Control Panel > Task Scheduler, select the task that belong to admin and click Edit.
  2. Under the General tab, change the task owner to the new administrator account in the User field.
  3. Repeat the steps if there is more than one task.

3. Deactivate the default admin account

After the admin account's data are duplicated and settings updated, sign in DSM as the new administrator, and go to the following locations to deactivate the default admin account:

  • For DSM 7.0 and above: Control Panel > User & Group > User tab. Double-click on the default admin account, go to Info, click Deactivate this account, and click Save.
  • For DSM 6.2 and earlier: Control Panel > User > User tab. Double-click on the default admin account, go to Info, click Deactivate this account, and click OK.

4. Change client settings

If you have client devices that use the default admin account to connect to your Synology NAS, you must remove all previous connection settings from these client devices and establish a new connection with the new administrator account.

Service
Solution
For Active Backup for Business agents
Refer to the "Configuration" section in this article to connect your client computer to your Synology NAS using the new administrator account credentials.
For File Services clients
For the following file services, disconnect all existing connections first.
For Hyper Backup Vault clients
  1. On the source NAS backing up data via Hyper Backup to your Synology NAS (destination NAS), launch Hyper Backup and update to the new administrator account credentials at the following locations:
    • For DSM 7.0 and above: Go to Edit > Target and click Log In next to Authentication.
    • For DSM 6.2 and earlier: Go to Edit > Target.
  2. Change the owner of the [directory_name].hbk file on your Synology NAS (destination NAS) from "admin" to the new administrator account:
    • Launch File Station, click on the shared folder that you used for saving the backup data, right-click on the [directory_name].hbk file, select Properties > General > Owner, select the new administrator from the drop-down list or manually enter it, tick Apply to this folder, sub-folders and files, and click OK.
For Shared Folder Sync
On the client Synology NAS, update the login information to the new administrator credentials at the following locations:9
  • For DSM 7.0 and above: Control Panel > File Services > Advanced > Shared Folder Sync > Task List > Edit > Destination.
  • For DSM 6.2 and earlier: Control Panel > Shared Folder Sync > Task List > Edit > Destination.
For Synology Drive Client
Refer to this article to connect your client computers to Synology Drive Server using the new administrator account credentials.
For Synology Drive ShareSync clients
Refer to this article to connect your client Synology NAS to Synology Drive Server using the new administrator account credentials.

Notes:

  1. Items that cannot be duplicated include, but are not limited to, the following:
    • Download Station: Download tasks created by admin.
    • File Station: Shared links created by admin. The links stay valid if the shared files/folders shared by admin are not moved or deleted.
    • Synology Chat Server: Message history of admin.
    • Synology Drive Server: File versions of the files located under /homes/admin/Drive.
    • Synology Moments: Albums that are automatically created for admin and manually created by admin.
    • Synology Photos: Albums that are automatically created for admin and manually created by admin.
  2. The following settings will be copied:
    • The groups that the admin account belongs to.
    • The admin account's permission for each shared folder, excluding explicit permissions configured on sub-folders and files.
    • The admin account's Quota settings. However, administrators have unlimited quota.
    • The admin account's Privilege settings for applications.
    • The admin account's Speed Limit settings.
  3. The name of a private window varies from browser to browser: "InPrivate" for Edge, "Incognito" for Chrome, and "Private window" for FireFox and Safari.
  4. If you are using DSM 6.2.4 and the folder /homes/admin/Drive/Moments exists, copy this folder to /homes/NewAdministrator/Drive/Moments separately. This folder is used by Synology Moments.
  5. If a non-encrypted task is deleted and the last sync activity is within 24 hours, the new task will be re-linked to the deleted task, and the synced data on the Synology NAS will not be synced again. If an encrypted task is deleted, or the last sync activity of a non-encrypted task is more than 24 hours ago, all files must be synced again.
  6. Transferred data include all files and folders under admin's My Drive, Synology Office files with versions, and the admin's file sharing records. The transferred data will be saved to /homes/NewAdministrator/Drive/admin migration file/.
  7. To access the Synology NAS via AFP, use afp:// instead of smb:// in Finder's Server Address field.
  8. If you are backing up your Mac computer using Time Machine with the default admin account, remove the backup disk from your Mac first and configure Time Machine again with the new administrator account. The previous Time Machine backup data created by admin will remain, and you can continue to back up your Mac with the new administrator account.
  9. If you receive an error code 53 for the Shared Folder Sync task after you update the user credentials, refer to this article for solutions.
Purpose
Environment
Contents
Resolution
1. Before you start
2. Duplicate data and update settings
3. Deactivate the default admin account
4. Change client settings