The primary site administrator account in ArcGIS Server is a built-in account that bypasses external identity store configurations. To ensure only users from a configured identity store (e.g., Active Directory) can administer the site, the primary site admin account must be disabled after alternative administrative access has been confirmed.

From ArcGIS Server documentation:

“After you configure your ArcGIS Server to use users and roles from an identity store (LDAP or Active Directory), you can disable the primary site administrator account to prevent bypassing the identity store.”

Option B relates to token security, not access control.

Option C is about running the service securely, not defining user permissions.