News

Reset Admin User Password in Zimbra / Carbonio

Josphat Mutai Updated Mar 18, 2026 · 5 min read

Getting locked out of a Zimbra or Carbonio admin account is one of those situations that feels worse than it is. The fix takes a single command if you have SSH access to the server. This guide covers password resets for the admin account, regular user accounts, the differences between Carbonio Community Edition and Network Edition, and handling two-factor authentication lockouts.

Original content from computingforgeeks.com - post 11160

Prerequisites

All password management commands must be run on the mail server itself. You need:

  • SSH access to the Zimbra/Carbonio server
  • The ability to switch to the zextras user (Carbonio) or zimbra user (legacy Zimbra)
  • Root or sudo privileges for the user switch

On Carbonio, the service user is zextras. On older Zimbra installations, it is zimbra. The commands are otherwise identical.

Reset the Admin Password via CLI

SSH into the server and switch to the service user:

# Carbonio
sudo su - zextras

# Legacy Zimbra
sudo su - zimbra

Reset the admin password with zmprov:

zmprov setPassword [email protected] 'NewSecurePassword123!'

Verify you can authenticate with the new password:

zmprov -l gaa -v [email protected] | grep zimbraAccountStatus

The account status should show active. If it shows locked or lockout, the account was locked due to too many failed login attempts. Unlock it:

zmprov modifyAccount [email protected] zimbraAccountStatus active

Now log into the admin console at https://your-server:7071 (Zimbra) or https://your-server:6071 (Carbonio) with the new password to confirm everything works.

Reset a Regular User Password

The process is the same for non-admin accounts:

zmprov setPassword [email protected] 'NewUserPassword456!'

If you want to force the user to change their password on next login:

zmprov modifyAccount [email protected] zimbraPasswordMustChange TRUE

Verify the change:

zmprov getAccount [email protected] zimbraPasswordMustChange

To reset passwords in bulk (for example, after a security incident), list all accounts and script the reset:

# List all accounts
zmprov -l gaa yourdomain.com

Then loop through them with a script, setting each password and forcing a change on login. Be sure to notify users through an out-of-band channel since they will not be able to read email until they reset.

When zmprov Is Not Working

If zmprov fails with connection errors, the LDAP service is likely down. Check the service status:

zmcontrol status

If LDAP is not running, start it:

ldap start

Then retry the password reset. If LDAP will not start, check the logs:

# Carbonio
tail -100 /opt/zextras/log/ldap.log

# Legacy Zimbra
tail -100 /opt/zimbra/log/ldap.log

Common causes include disk space exhaustion (LDAP databases can grow large), permission changes on the LDAP data directory, or a corrupted database after an unclean shutdown.

For a completely non-functional LDAP, you can use the local LDAP tools directly, but this is a last-resort approach that requires knowledge of the LDAP directory structure. In most cases, fixing the LDAP service and using zmprov is the better path.

Carbonio CE vs NE – What Differs

Zextras Carbonio comes in two editions: Community Edition (CE) and Network Edition (NE). For basic password management, the commands are identical. The differences that matter for account administration:

  • Admin Console – Carbonio NE has a more feature-rich admin panel with delegated administration. CE has a simpler interface but zmprov commands are the same on both.
  • Two-Factor Authentication – Both editions support 2FA, but NE includes more granular policy controls for enforcing 2FA per COS (Class of Service).
  • Active Directory Integration – NE supports external Active Directory authentication. If a user authenticates against AD, their password is managed in AD, not in Zimbra’s LDAP. The zmprov setPassword command will not work for those accounts – you need to reset the password in Active Directory instead.
  • Backup and Restore – NE includes built-in backup. If you restore an account from backup, the password at the time of backup is restored. The user may need a fresh password reset afterward.

Resetting Two-Factor Authentication

If a user (or the admin) has lost access to their 2FA device (phone lost, authenticator app wiped), you need to disable 2FA on the account so they can log in and reconfigure it.

Disable 2FA for a specific account:

zmprov modifyAccount [email protected] zimbraTwoFactorAuthEnabled FALSE

Also clear any existing 2FA credentials so they start fresh:

zmprov modifyAccount [email protected] zimbraTwoFactorAuthCredentials ''

Verify 2FA is disabled:

zmprov getAccount [email protected] zimbraTwoFactorAuthEnabled

The user can now log in with just their password. Once logged in, they should immediately set up 2FA again from their account settings.

If 2FA is enforced at the COS level and you disable it on the individual account, the COS policy may override your change. In that case, temporarily move the user to a COS that does not enforce 2FA:

# Check current COS
zmprov getAccount [email protected] zimbraCOSId

# List available COS
zmprov getAllCos

# Move to a COS without 2FA enforcement
zmprov modifyAccount [email protected] zimbraCOSId <cos-id-without-2fa>

After the user has reconfigured 2FA, move them back to their original COS.

Password Policy Settings

While you are resetting passwords, it is worth reviewing your password policy. These settings are applied at the COS or account level:

# View password policy for an account
zmprov getAccount [email protected] | grep -i zimbraPassword

# Set minimum password length
zmprov modifyCos default zimbraPasswordMinLength 12

# Set password history (prevent reuse of last N passwords)
zmprov modifyCos default zimbraPasswordEnforceHistory 5

# Set maximum login failures before lockout
zmprov modifyCos default zimbraPasswordLockoutMaxFailures 5

# Set lockout duration (in seconds - 1800 = 30 minutes)
zmprov modifyCos default zimbraPasswordLockoutDuration 1800

Verify the policy:

zmprov getCos default | grep -i zimbraPassword

Quick Reference

TaskCommand
Reset passwordzmprov sp [email protected] 'newpass'
Unlock accountzmprov ma [email protected] zimbraAccountStatus active
Force password changezmprov ma [email protected] zimbraPasswordMustChange TRUE
Disable 2FAzmprov ma [email protected] zimbraTwoFactorAuthEnabled FALSE
Check serviceszmcontrol status

Summary

Password resets in Zimbra and Carbonio are handled entirely through zmprov on the command line. As long as you have SSH access and the LDAP service is running, you can reset any account in seconds. Remember that accounts authenticated against external directories (Active Directory, external LDAP) must have their passwords reset in those systems instead. After any admin password reset, log into the web console immediately to confirm access, and take the opportunity to review your password and lockout policies.

Josphat Mutai

Founder of Computingforgeeks. Expertise in Virtualization, Cloud, Linux/UNIX Administration, Automation,Storage Systems, Containers, Server Clustering e.t.c.

Related Articles

Cloud Do You Need CNAPP For Your Cloud? CNAPPs Explained Windows Alternative to Windows File Recovery [Alternative Review] How To What are the benefits of using a 3D platform for product development? How To Key Considerations When Upgrading to a Smartphone Fit for Gaming

Leave a Comment

Press ESC to close