Monday, February 28, 2011

How to reset SEPM 11 administrator password

Here's the procedure to reset the password for Symantec EndPoint Protection Manager on a Windows 2008 server. First, what you must know is that the SEPM security policy is set to lock the 'admin' account after 5 wrong passwords are entered. The 'admin' account is then kept locked for 15 minutes after which it unlocks itself automatically. If you have entered 5 wrong passwords, two solutions are available: the first one is to quietly sit in your chair, sip your coffee and wait for 15 minutes to pass. The second one consistes of one simple procedure:
  • Open a command prompt with elevated privileges
  • Type 'cd C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools'
  • Type 'resetpass.bat' and press 'Enter' to run the batch file which is in charge of resetting the password.
  • Choose a new password
The resetpass.bat will temporarily reset the password to 'admin' and it will immediately ask you to choose new credentials. Here's the content of this file for a better understanding:

@echo off
setlocal

set CATALINA_HOME=%CD%\..\tomcat
set JAVA_HOME=%CD%\..\jdk

"%JAVA_HOME%\bin\java.exe" -Xms64m -Xmx256m -XX:MinHeapFreeRatio=30 -XX:MaxHeapFreeRatio=40 -classpath "%CD%\..\bin\inst.jar;%CD%\..\bin\inst-res.jar" -Dcatalina.home="%CATALINA_HOME%" -Djava.library.path="%CATALINA_HOME%\bin" com.sygate.scm.tools.DatabaseFrame setpassword admin admin
endlocal

Once you are logged in the SEPM management console you can also select the 'admin' tab and change the security policy to respond to failed login attempts and to define lock duration. I suggest to decrease the account lockout duration to 5 minutes and to add a backup admin account to be able to logon even in case of problems with the primary account. You could also set SEPM to not to make password expire for easier management, just be sure you have choosen a strong password.

SEPM Security Policy

Password expiration policy

I hope this helps!

1 comment:

  1. Resetting the admin password works if SEPM is not configured to be synched with the active directory. If SEPM doesn't authenticate in this case probably it's because it cannot find the domain controller (e.g. because you demoted it). Anyway, I was able to solve this issue by using the backup and restore feature of SEPM with the following steps:
    - backup db on old server
    - restore it on a new server (remeber to copy the private keys also)
    - run the configuration wizard on the new server (choose reconfigure)
    - you may be asked if you want to add the new server to the list of servers - say yes
    - login on the console of the new server
    - disable the account synching feature with active directory
    - disable the lockout option
    - change the admin password to one of your choice
    - logout from the console the new server
    - backup the db on the new server
    - restore the db (and keys) on the old server
    - reconfigure with the wizard the old server
    - et voilà... you finally can login again on the old server

    Not so fast, but it worked well for me.

    Marco

    ReplyDelete

Related Posts Plugin for WordPress, Blogger...