Symantec Endpoint Protection Manager Reset Admin Password

If you need to reset the Symantec Endpoint Protection Manager (SEPM)

admin password, the process is straightforward but requires access to the management server's file system. Password Reset Methods According to technical documentation from , there are two primary ways to handle this: resetpass.bat

: This is the most common "local" fix if you are locked out. Navigate to the folder in your SEPM installation directory (usually

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools resetpass.bat This resets the default account password to : Log in immediately and change this to a secure password. The "Forgot Password" Link

: If your SEPM is configured with an email server, you can use the link on the login console. Enter your username and click Forgot Password

A temporary password will be sent to the administrator's email address on file. Broadcom Community Common Troubleshooting Account Lockouts

: If the account is locked due to too many failed attempts, running resetpass.bat will also typically unlock it. Console Access

: You must perform the batch file reset directly on the computer running the SEPM software. Configuration Wizard : If the batch file fails, some users perform a Broadcom Knowledge Base

through the Control Panel to trigger the Management Server Configuration Wizard, which allows for re-configuring the admin credentials. Broadcom Community

If you're having trouble locating the installation directory or if the batch file isn't working,

would you like help troubleshooting your specific SEPM version or server setup? How can I unlock my admin user? | Endpoint Protection

Symantec Endpoint Protection Manager (SEPM) administrator passwords can be reset using the "Forgot your password?" feature if email is configured, or via the resetpass.bat script located in the tools directory to revert to default credentials. If email recovery is unavailable, running the reset script requires administrative access to the server, which resets the account to a default username and password. For detailed, official procedures, visit Broadcom TechDocs.

Forgetting the administrator password for Symantec Endpoint Protection Manager (SEPM) can feel like being locked out of your own high-security vault. Fortunately, Symantec provides built-in "emergency keys" to regain entry. 1. The Standard "Forgot Your Password?" Link

If you have configured a working email server (SMTP) in your SEPM settings, this is your quickest route.

The Action: On the SEPM logon screen, click Forgot your password?.

The Result: Type your username and click Temporary Password. An email will be sent with a reset link.

Catch-22: This only works if your SMTP relay and recovery email were set up before you lost access. 2. The Power Move: resetpass.bat

In isolated environments or cases where email isn't configured, Symantec provides a specific batch script located directly on the management server.

Location: Navigate to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools. The Execution: Open a Command Prompt as Administrator. Run resetpass.bat.

The Reset: This script forcefully reverts the admin account name and password to the default: admin / admin.

Pro Tip: You must change this default password immediately after logging back in for security compliance. 3. The "Deep Log" Extraction (Advanced)

If you’ve requested a reset email but it never arrives (common in restrictive networks), you can sometimes "catch" the link from the server's own logs.

The Trick: Increase the SEPM loglevel to FINEST in the conf.properties file and add scm.mail.troubleshoot=1.

The Find: After restarting the service and requesting the password again, search the stdout-0.log file for the phrase "PasswordServlet". The actual reset URL is often hidden right there in the text. 4. Important Constraints to Remember

To reset the Administrator password for Symantec Endpoint Protection Manager (SEPM), you use the built-in ResetPass.bat utility located in the installation directory.

Note: This procedure only works for the default "admin" username. If you created a custom administrator username and forgot it, you must log in with another administrator account to reset it, or reinstall the management server.

Here is the step-by-step guide.

Troubleshooting

If the password admin does not work: Ensure you ran the .bat file as an Administrator. If you simply double-clicked it, it may have appeared to run but failed to write the changes to the database due to permission restrictions. Right-click and try "Run as administrator" again.

If you are using a different Username: The ResetPass.bat tool strictly resets the built-in admin account. It does not work on custom administrator accounts created later. If you have lost the password for a custom account and have no other admins, you generally have to reinstall the SEPM and use a disaster recovery file (if you have one) to restore your settings.

To reset the Symantec Endpoint Protection Manager (SEPM) admin password, you can use the built-in resetpass.bat utility or the standard "Forgot your password?" link if an email server is configured. Method 1: Using the resetpass.bat Tool

This method is the most reliable if you have access to the SEPM server. It resets the administrator username and password back to the default admin.

Locate the Tool: On the SEPM server, open Windows Explorer and navigate to the following default directory:

64-bit systems: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools.

32-bit systems: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools.

Run the File: Double-click the resetpass.bat file. Alternatively, run it via an elevated Command Prompt (Run as Administrator).

Wait and Log In: It may take up to 10 minutes for the changes to take effect. Log in using: Username: admin Password: admin

Update Credentials: You will be prompted to change the password immediately upon login. Method 2: The "Forgot your password?" Link

Use this if your management server is configured with a mail relay to send recovery emails. Open the Symantec Endpoint Protection Manager logon screen. Click the Forgot your password? link. Enter the username and click Temporary Password. symantec endpoint protection manager reset admin password

Check your email for a link to activate a temporary password. Important Troubleshooting Tips Forgot Admin Password - Console | Endpoint Protection

To reset your Symantec Endpoint Protection Manager (SEPM) admin password, you can use the built-in "Forgot your password?" feature or the resetpass.bat command-line tool. These methods ensure you can regain access to your management console even if you have lost your credentials or are locked out. Method 1: Using the "Forgot Your Password" Link

This is the standard recovery method if your SEPM environment is configured with an email server.

Launch the Console: Open the SEPM logon screen on your management server. Request Reset: Click the Forgot your password? link.

Enter Account Details: In the dialog box, type the user name for the account you need to reset. For domain administrators, include the domain name. For local accounts, leave the domain field blank.

Receive Email: Click Temporary Password. You will receive an email containing a link to activate a temporary password.

Update Password: Log in with the temporary password and change it immediately. Method 2: Using the resetpass.bat Tool

If you do not have an email server configured or are in an isolated environment, use the command-line utility located on the server.

Locate the Tool: Open Windows Explorer on the SEPM server and navigate to the Tools folder.

64-bit Systems: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools.

32-bit Systems: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools.

Run as Administrator: Right-click Command Prompt and select Run as administrator, then navigate to the directory above using the cd command. Execute Reset: Type resetpass.bat and press Enter.

Wait and Login: Wait approximately 10 minutes for the reset to take effect.

Default Credentials: Log in using the following default credentials: Username: admin Password: admin

Secure the Account: You will be prompted to change the password immediately upon logging in. Advanced Recovery: Troubleshooting the Reset Email

If the "Forgot your password?" link doesn't send an email, you can force the system to reveal the reset link in its internal logs.

Stop the SEPM Service: Use Services.msc to stop the Symantec Endpoint Protection Manager service.

Enable Debug Logging: Edit the conf.properties file (located in ...\Tomcat\etc) and set scm.log.loglevel=FINEST and append scm.mail.troubleshoot=1.

Restart and Capture: Start the service again and request the password reset.

Find the Link: Open the stdout-0.log file in the ...\tomcat\logs\ folder and search for "PasswordServlet" to find the generated reset URL.

Comprehensive Guide to Resetting the Symantec Endpoint Protection Manager (SEPM) Admin Password

Losing access to your Symantec Endpoint Protection Manager (SEPM) console can halt critical security updates and leave your network vulnerable. Whether you’ve forgotten the administrator credentials or are dealing with a lockout, there are two primary methods to regain control: using the built-in password reset tool or the "Forgot Password" email feature. 1. The resetpass.bat Utility (Local Server Access)

If you have physical or remote desktop access to the Windows server running SEPM, the fastest way to recover is using the bundled resetpass.bat script. This utility resets the "admin" account password back to the factory default. Step 1: Log in to the management server computer.

Step 2: Open Windows Explorer and navigate to the SEPM installation directory. The default path is usually:C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools.

Step 3: Locate and double-click the file named resetpass.bat.

Step 4: A command prompt window will briefly appear, confirming that the password has been reset to admin.

Step 5: Launch the SEPM console and log in with the username admin and the password admin.

Critical Action: You must change the password immediately upon logging in to secure the console. 2. The "Forgot Password" Feature (Email Recovery)

If you cannot access the server directly but have configured an email server (SMTP) within SEPM, you can request a temporary password. Step 1: Open the SEPM Login console. Step 2: Click the Forgot your password? link.

Step 3: Enter your username and the email address associated with the account.

Step 4: Check your inbox for an email containing a Temporary Password.

Step 5: Log in using the temporary credentials and update your password immediately. 3. Troubleshooting Common Login Issues

If neither method works, consider these common pitfalls documented by Broadcom Tech Docs:

Account Lockout: SEPM may lock an account after multiple failed attempts. Wait for the lockout period to expire (usually 15-30 minutes) before trying again.

Database Connectivity: If the password reset tool fails, ensure the SEPM database service is running.

Permissions: Ensure you are running the resetpass.bat file with Administrator privileges on the server. Security Best Practices To avoid future lockouts, it is recommended to:

Configure SMTP: Always set up a mail server in SEPM so the "Forgot Password" feature is functional. If you need to reset the Symantec Endpoint

Multiple Admins: Create at least one secondary administrator account for emergency access.

Documentation: Securely store the SEPM "admin" credentials in a company-approved password manager.

For further technical support, you can visit the Broadcom Support Portal or the Symantec Enterprise Community.

To reset the administrator password for Symantec Endpoint Protection Manager (SEPM), you can use the built-in password reset tool or the command-line interface, depending on your version and access level. Reset via ResetPassword.bat (Recommended)

This is the standard method for most versions. It generates a temporary password that you must change upon login.

Navigate to the Tools folder: Open File Explorer on the SEPM server and go to:C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools Run the script: Double-click ResetPassword.bat.

Authentication: A command window will prompt for confirmation. Once completed, it will display a message stating the password has been reset to admin. Log in and Update: Open the SEPM console. Log in with username admin and password admin.

You will be prompted immediately to create a new, secure password. Reset via Command Line (Alternative)

If you prefer using the command line or the .bat file is missing, you can use the reset-password.exe utility.

Path: ..\Symantec Endpoint Protection Manager\bin\reset-password.exe

Command: Run the executable as an Administrator. This follows the same logic as the batch file, reverting the admin account to its default credentials. Troubleshooting and Limitations

Database Connectivity: The reset tool requires a connection to the SEPM database. If the database service is stopped, the reset will fail.

Account Locking: If the account is locked due to too many failed attempts, the reset script typically unlocks it while resetting the password.

FIPS Mode: If SEPM is running in FIPS-compliant mode, ensure you are using the specific tools provided in the FIPS subdirectories.

Conclusion: You’re Back in Control

Resetting a lost admin password in Symantec Endpoint Protection Manager is not a catastrophic failure. Thanks to tools like RecoveryUtil.bat and direct database access, you can regain control of your endpoint security infrastructure in under 15 minutes—without data loss.

Summary of success paths:

Try RecoveryUtil.bat first (official, safe, simple).
Use direct SQL if the utility fails (Sybase or MSSQL).
Restore from backup as a final resort.

Remember that IT security isn’t just about protecting against external threats—it’s also about building resilient processes for internal failures. A documented, tested password recovery procedure is a mark of a mature security operations center.

Now go ahead and reset that password. Your endpoints—and your sanity—will thank you.

Disclaimer: This guide is written for system administrators who own or manage their Symantec Endpoint Protection environment. Unauthorized attempts to reset passwords on systems you do not own may violate computer fraud laws. Always follow your organization’s security policies.

Resetting Your Symantec Endpoint Protection Manager (SEPM) Admin Password

If you have lost access to your Symantec Endpoint Protection Manager (SEPM) console, you can regain entry using several methods depending on your environment's configuration. The most common solution involves using a built-in batch script on the management server. Method 1: Using the resetpass.bat Tool (Recommended)

This tool is included in your SEPM installation and resets the administrator credentials to their default values.

Access the Server: Log into the physical or virtual machine where Symantec Endpoint Protection Manager is installed.

Locate the Tool: Open Windows Explorer and navigate to the following directory:

64-bit systems: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools

32-bit systems: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools

Run the Script: Right-click resetpass.bat and select Run as Administrator.

Log In: Wait approximately 10 minutes for the change to take effect. Then, log in with the following default credentials: Username: admin Password: admin

Update Security: You will be prompted to change this temporary password immediately. Ensure your new password meets current complexity requirements (typically 8–16 characters, including uppercase, lowercase, numbers, and special characters). Method 2: Using the "Forgot Your Password?" Link

If your SEPM is configured with a working SMTP mail server, you can use the built-in recovery link. On the SEPM logon screen, click Forgot your password?. Enter the username for the account you wish to reset.

Check your email for a temporary password and activation link.

Troubleshooting: If you don't receive the email, you may need to check the mailConfig.properties file located in the \tomcat\etc\ folder to verify your SMTP settings. Method 3: Advanced Recovery via Log Files

If you cannot receive emails but have access to the server's file system, you can sometimes extract the reset link directly from the system logs.

Enable Debugging: Edit the conf.properties file in ...\Tomcat\etc and set scm.log.loglevel=FINEST and scm.mail.troubleshoot=1.

Restart Service: Restart the Symantec Endpoint Protection Manager service via services.msc.

Extract Link: Trigger the "Forgot Password" request again, then check the stdout-0.log file in the \tomcat\logs\ directory for a phrase like "PasswordServlet." The reset URL should be listed there.

For official technical documentation, visit the Broadcom Support Portal or review troubleshooting tips on the Broadcom Community forums. Conclusion: You’re Back in Control Resetting a lost

Title: The 3:00 AM Cipher

Context: Marta was the sole security administrator for a mid-sized logistics firm. The SEPM console hadn’t been opened in six months because the environment was “set and forget.” That changed at 3:00 AM when a compliance audit alert fired, requiring immediate access to the policy logs. Marta typed in her credentials: Access Denied. She tried the fallback service account: Access Denied. Her heart rate spiked. The previous admin had left the company two years ago, and the password vault was last updated in 2018.

The Procedure (The Story):

Marta knew there was no “Forgot Password?” link on the SEPM login page for a reason. Symantec designed the manager to treat a lost admin password as a potential security breach. She pulled up the archived documentation.

Step 1: The Server Room She walked to the isolated Windows Server 2019 machine hosting the SEPM. She logged into the operating system using local admin credentials—the one password she did have. She stopped the "Symantec Endpoint Protection Manager" service. The console went dark.

Step 2: The Embedded Database Gambit Her firm used the embedded database (a stripped-down Sybase SQL Anywhere). Unlike an external SQL server, this required a different brute-force method. She navigated to the installation directory: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32

She found the utility dbisql.com (Interactive SQL utility). She launched it and connected to the sem5 database using the embedded credentials she found in a long-forgotten .conf file: dba / sql.

Step 3: The Hash Heist Inside the database, she ran the dangerous query:

SELECT USER_NAME, PASSWORD FROM SEM_USER;

The output showed her username: admin. The password field wasn't plain text. It was a salted SHA-1 hash. She couldn't reverse it, but she didn't need to. She just needed to overwrite it.

Step 4: The Factory Reset She generated a hash for a known temporary password ("TempReset123!") using a Python script that mimicked Symantec’s exact salting method (salt + SHA1). She then ran the update command:

UPDATE SEM_USER SET PASSWORD = '[new_hash]' WHERE USER_NAME = 'admin';
COMMIT;

She closed dbisql, started the SEPM service, and held her breath.

The Aftermath She opened the web console. admin / TempReset123!. Access Granted.

She immediately navigated to Admins > Reset Password and enforced a new complex password, storing it in the vault herself. She then checked the audit log. No other changes were made. The compliance alert was resolved by 3:47 AM.

The Lesson Marta learned: If she had been using an external Microsoft SQL database, the process would have required opening SQL Server Management Studio and running an even more arcane stored procedure: exec dbo.sp_reset_admin_password 'admin', 'NewPlainTextPass123!'. But in the chaos of 3:00 AM, the embedded database’s raw SQL access had saved her job.

She made a mental note to configure the SMPT recovery email feature tomorrow. There is always a backdoor in enterprise software—it's just usually made of SQL and desperation.

To reset the Symantec Endpoint Protection Manager (SEPM) administrator password, you can use the built-in "Forgot your password?" link on the logon screen or the resetpass.bat tool located on the management server. Method 1: Console "Forgot your password?" Link

This is the standard recovery method if an email server is configured for your management console. Open the Symantec Endpoint Protection Manager logon screen. Click the Forgot your password? link. Enter the user name for the account you need to reset.

Click Temporary Password. A reset link will be sent to the administrator's registered email address.

Follow the link in the email to activate a temporary password and log in immediately to set a permanent one. Method 2: resetpass.bat Tool (Command Line)

If you cannot receive emails or are locked out entirely, you can manually reset the primary admin account using a batch script on the SEPM server. Default File Location:

64-bit systems: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\

32-bit systems: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools\ Reset Procedure: Open a Command Prompt as an administrator. Navigate to the Tools folder using the cd command. Run the resetpass.bat file.

The administrator username and password will both be reset to admin.

To reset a forgotten administrator password for Symantec Endpoint Protection Manager (SEPM), you can use the built-in "Forgot your password?" link on the logon screen or a command-line tool located on the management server. Method 1: Using the Logon Screen

This is the standard method if you have previously configured an email server in SEPM. Broadcom TechDocs Launch SEPM : Open the management server logon screen. Request Reset : Click the Forgot your password? Enter Credentials

: Provide the user name and domain (leave blank if not using domains) for the account. Check Email Temporary Password to receive an activation link via email. Update Password

: Log in using the temporary credentials and change them immediately. Broadcom TechDocs Method 2: Using the resetpass.bat Tool

If email is not configured or the system is in an isolated environment, you can use a batch file to reset the password to the default "admin". Broadcom Community

To reset the administrator password for Symantec Endpoint Protection Manager (SEPM), you can use the built-in "Forgot your password?" link or run a manual reset script on the management server Broadcom TechDocs Option 1: Using the "Forgot Password" Link

This is the standard method if you have configured an email server (SMTP) in SEPM. Broadcom Community Launch the Symantec Endpoint Protection Manager Forgot your password? link on the logon screen.

(and Domain Name, if applicable) for the account you need to reset. Temporary Password

Check the administrator's email for a link to activate the temporary password. If you aren't receiving the email, you can check the stdout-0.log

file on the SEPM server to find the password reset link manually. Broadcom TechDocs Option 2: Using the resetpass.bat

The feature you are asking about — resetting the admin password in Symantec Endpoint Protection Manager (SEPM) — is typically accomplished through a built-in password recovery mechanism or a manual database reset process, depending on your access level and setup.

Here are the two primary features available for resetting the SEPM admin password:

Part 2: Prerequisites – What You Need Before Starting

Before attempting any password reset, ensure the following:

Local Administrative Access: You must have Windows Administrator privileges on the machine hosting SEPM.
Console Access to the Server: You need to log into the server’s desktop environment (RDP or physical console).
Service Account Knowledge: Identify if SEPM services run under a domain service account or Local System. (If you use a domain account that has expired or changed password, fix that first via Windows Services.)
Backup (Highly Recommended): Backup the SEPM database and the C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ directory. In-place edits are safe, but a backup is insurance.

Warning: Do not uninstall SEPM to “fix” the password. Uninstalling removes the database and all policies.

3.3 Safe Mode / Recovery Console Method

Boot SEPM in recovery mode if OS-level access lost
Manually edit keystore and properties files (advanced)

5. Security Recommendations

Store recovery passwords in a secure vault
Implement role-based access control (RBAC) with backup admin accounts
Regular backup of SEPM configuration

Comments 6

Veronica
March 14, 2019 at 3:42 am

Thank you so much You are God sent

Log in to Reply
Katie
November 4, 2016 at 9:34 am

This is GREAT! Thanks for sharing!!! Do you have more question stems for other areas of reading?

Log in to Reply
1. Post
  Author
  
  kalena.baker@live.com
  November 7, 2016 at 9:54 am
  
  I currently have some for text features and for character traits. Click the link to go to the questions.
  
  Log in to Reply
  1. Katie
    November 16, 2016 at 1:52 pm
    
    Thanks so much! I would love to know if and when you add more!
    
    Log in to Reply
Lacey
October 26, 2016 at 12:49 pm

Thank you so much!!!

Log in to Reply
Lavelle Stuart
October 9, 2016 at 5:21 pm

Thank you. Some great resources!!

Log in to Reply