Admin Password !full!: Symantec Endpoint Protection Manager Reset

Resetting Your Symantec Endpoint Protection Manager (SEPM) Admin Password

If you have lost access to your Symantec Endpoint Protection Manager (SEPM) console, you can regain entry using several methods depending on your environment's configuration. The most common solution involves using a built-in batch script on the management server. Method 1: Using the resetpass.bat Tool (Recommended)

This tool is included in your SEPM installation and resets the administrator credentials to their default values.

Access the Server: Log into the physical or virtual machine where Symantec Endpoint Protection Manager is installed.

Locate the Tool: Open Windows Explorer and navigate to the following directory:

64-bit systems: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools

32-bit systems: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools

Run the Script: Right-click resetpass.bat and select Run as Administrator.

Log In: Wait approximately 10 minutes for the change to take effect. Then, log in with the following default credentials: Username: admin Password: admin

Update Security: You will be prompted to change this temporary password immediately. Ensure your new password meets current complexity requirements (typically 8–16 characters, including uppercase, lowercase, numbers, and special characters). Method 2: Using the "Forgot Your Password?" Link

If your SEPM is configured with a working SMTP mail server, you can use the built-in recovery link. On the SEPM logon screen, click Forgot your password?. Enter the username for the account you wish to reset.

Check your email for a temporary password and activation link.

Troubleshooting: If you don't receive the email, you may need to check the mailConfig.properties file located in the \tomcat\etc\ folder to verify your SMTP settings. Method 3: Advanced Recovery via Log Files symantec endpoint protection manager reset admin password

If you cannot receive emails but have access to the server's file system, you can sometimes extract the reset link directly from the system logs.

Enable Debugging: Edit the conf.properties file in ...\Tomcat\etc and set scm.log.loglevel=FINEST and scm.mail.troubleshoot=1.

Restart Service: Restart the Symantec Endpoint Protection Manager service via services.msc.

Extract Link: Trigger the "Forgot Password" request again, then check the stdout-0.log file in the \tomcat\logs\ directory for a phrase like "PasswordServlet." The reset URL should be listed there.

For official technical documentation, visit the Broadcom Support Portal or review troubleshooting tips on the Broadcom Community forums.

To reset the administrator password for Symantec Endpoint Protection Manager (SEPM), you can use the built-in password reset tool or the command-line interface, depending on your version and access level. Reset via ResetPassword.bat (Recommended)

This is the standard method for most versions. It generates a temporary password that you must change upon login.

Navigate to the Tools folder: Open File Explorer on the SEPM server and go to:C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools Run the script: Double-click ResetPassword.bat.

Authentication: A command window will prompt for confirmation. Once completed, it will display a message stating the password has been reset to admin. Log in and Update: Open the SEPM console. Log in with username admin and password admin.

You will be prompted immediately to create a new, secure password. Reset via Command Line (Alternative)

If you prefer using the command line or the .bat file is missing, you can use the reset-password.exe utility.

Path: ..\Symantec Endpoint Protection Manager\bin\reset-password.exe What This Feature Is NOT

Command: Run the executable as an Administrator. This follows the same logic as the batch file, reverting the admin account to its default credentials. Troubleshooting and Limitations

Database Connectivity: The reset tool requires a connection to the SEPM database. If the database service is stopped, the reset will fail.

Account Locking: If the account is locked due to too many failed attempts, the reset script typically unlocks it while resetting the password.

FIPS Mode: If SEPM is running in FIPS-compliant mode, ensure you are using the specific tools provided in the FIPS subdirectories.

The feature you are asking about — resetting the admin password in Symantec Endpoint Protection Manager (SEPM) — is typically accomplished through a built-in password recovery mechanism or a manual database reset process, depending on your access level and setup.

Here are the two primary features available for resetting the SEPM admin password:

5. Document the DBA Password

During SEPM installation, you set a DBA password for the embedded database (default sql). If you changed it, document it. Method 2 fails without this password.

What This Feature Is NOT

Not a remote/reset via cloud — SEPM is on-premises; there is no vendor "backdoor" to reset passwords without server access.
Not a simple "change password" option — that feature only works when you already know the current password.

Prerequisites:

Download a SQL database client (e.g., DBISQL or Interactive SQL). Broadcom support articles reference dbisql.com, which is found in the SEPM installation /ASA/win32 or /ASA/win64 folder.

Part 1: Understanding SEPM Authentication

Symantec Endpoint Protection Manager (now managed by Broadcom) stores user credentials—including the embedded admin account—in its backend database (an embedded Sybase SQL Anywhere database or a full external Microsoft SQL Server). The password is hashed and salted, meaning you cannot simply “view” it. However, you can replace the hash with a known value or bypass authentication entirely using command-line tools.

Critical Note: These procedures should only be performed on the SEPM server itself (physical or virtual). You cannot reset the password remotely via the web console if you are locked out.

4. Verification

Log in via SEPM console with new credentials
Verify policies, clients, and reports are intact

Method 2: Using the Database

If you don’t have another admin account or if the SEPM console is inaccessible, you may need to directly modify the database. This method requires more caution and technical expertise.

Backup the Database: Before making any changes, ensure you have a complete backup of the SEPM database.
Access the Database: Depending on your SEPM version, the database could be SQL Server, Oracle, or another type. Use a database management tool to connect to the SEPM database. Not a remote/reset via cloud — SEPM is
Modify the Password:
- For SQL Server, you can use a SQL query to update the password. The specific query can vary depending on the SEPM version. A general approach involves updating the password field in the administrators table.
- For Oracle, you would use an SQL query as well, but the approach might differ slightly.
Example SQL Query for SQL Server:
```
UPDATE Administrators 
SET Password = 'newhashedpassword' 
WHERE UserName = 'admin';
```
Replace 'newhashedpassword' with the actual hashed value of your new password and ensure the UserName matches the admin account.
Hashing the Password: You will need to hash your new password. The hashing algorithm used by SEPM can vary by version. Tools like symcryptransform (part of the SEPM installation) can be used to generate a hashed password.

Step-by-Step Instructions:

Step 1: Log into the SEPM Server Log directly into the Windows Server where SEPM is installed. Remote Desktop (RDP) works perfectly. You do not need to log in as SYSTEM; a standard local administrator account is sufficient.

Step 2: Stop the Symantec Endpoint Protection Manager Service Before modifying credentials, you must stop the service to release file locks.

Open services.msc (Start > Run > services.msc).
Locate Symantec Endpoint Protection Manager.
Right-click and select Stop.
Optional but recommended: Also stop the Symantec Endpoint Protection Manager Web Server.

Step 3: Navigate to the Tools Directory Open File Explorer and navigate to the following path:

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tools

Note: If you installed SEPM on a different drive (e.g., D: or E:), adjust the path accordingly.

Step 4: Run the Reset Script You will see a file named resetpass.bat.

Right-click on resetpass.bat and select Run as Administrator.
A command prompt window will open.

Step 5: Follow the Interactive Prompts The script will ask you a series of questions. Here is what you will see and how to respond:

"Do you want to reset the admin password? [y/n]" → Type y and press Enter.
"Enter a new password for admin:" → Type your new, strong password. (Note: Characters will not appear on screen for security).
"Confirm new password:" → Type it again.
"Do you want to unlock the admin account? [y/n]" → Type y. (Even if it isn’t locked, this ensures it is active).
"Do you want to rest the DBA password to match the admin? [y/n]" → Type n. (Stick to resetting only the admin account to avoid database complications).

Step 6: Start the Services

Return to services.msc.
Start Symantec Endpoint Protection Manager and the Web Server.
Wait 2-3 minutes for the services to fully initialize.

Step 7: Test the New Password Open the SEPM Console (usually via Start Menu or https://localhost:8443). Log in with:

Username: admin
Password: [Your new password]

Success! This method works in 95% of standard scenarios.

For Embedded Sybase Database (Default Install):

Stop SEPM services as above.

Navigate to the DB script folder:

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32\

Open a command prompt as Administrator in that folder.
Connect to the database using dbisql:
```
dbisql -c "UID=dba;PWD=sql;DBF=C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\db\sem5.db"
```
(Note: The default DBA password is often sql. If changed, you’ll need the correct one.)

In the SQL window that appears, run:

UPDATE SEM5.USER_LIST SET USER_PASSWORD = '5f4dcc3b5aa765d61d8327deb882cf99' WHERE USER_NAME = 'admin';
COMMIT;

Explanation: 5f4dcc3b5aa765d61d8327deb882cf99 is an MD5 hash of the word password. This sets the admin password to password (lowercase).
Close dbisql, restart services, and log in with admin / password. Change it immediately via the console.