Forgetting the administrator password for Symantec Endpoint Protection Manager (SEPM) can feel like being locked out of your own high-security vault. Fortunately, Symantec provides built-in "emergency keys" to regain entry. 1. The Standard "Forgot Your Password?" Link
If you have configured a working email server (SMTP) in your SEPM settings, this is your quickest route.
The Action: On the SEPM logon screen, click Forgot your password?.
The Result: Type your username and click Temporary Password. An email will be sent with a reset link.
Catch-22: This only works if your SMTP relay and recovery email were set up before you lost access. 2. The Power Move: resetpass.bat
In isolated environments or cases where email isn't configured, Symantec provides a specific batch script located directly on the management server.
Location: Navigate to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools. The Execution: Open a Command Prompt as Administrator. Run resetpass.bat.
The Reset: This script forcefully reverts the admin account name and password to the default: admin / admin.
Pro Tip: You must change this default password immediately after logging back in for security compliance. 3. The "Deep Log" Extraction (Advanced)
If you’ve requested a reset email but it never arrives (common in restrictive networks), you can sometimes "catch" the link from the server's own logs.
The Trick: Increase the SEPM loglevel to FINEST in the conf.properties file and add scm.mail.troubleshoot=1.
The Find: After restarting the service and requesting the password again, search the stdout-0.log file for the phrase "PasswordServlet". The actual reset URL is often hidden right there in the text. 4. Important Constraints to Remember
Method 1: Reset Admin Password using the SEPM Console
https://<SEPM_SERVER>:<PORT>/sepm (replace <SEPM_SERVER> with the hostname or IP address of your SEPM server and <PORT> with the port number, default is 8443).Method 2: Reset Admin Password using SQL Database
If you are unable to access the SEPM console or if the above method does not work, you can reset the admin password by updating the SQL database directly.
For Microsoft SQL Server:
smdb) from the list of available databases.UPDATE tbl_SEP_Users SET pwd = 'new_password' WHERE uid = 'admin_username'
Replace new_password with the new password you want to set and admin_username with the admin username (default is admin).
For Oracle Database:
SMDB) from the list of available schemas.UPDATE sep_users SET pwd = 'new_password' WHERE uid = 'admin_username'
Replace new_password with the new password you want to set and admin_username with the admin username (default is admin).
Method 3: Reset Admin Password using Command Line
You can also reset the admin password using the command line.
For Windows:
C:\Program Files\Symantec\Endpoint Protection Manager).java -classpath ".;lib/*" com.symantec.sepm.adminui.AdminConsole -resetpwd -admin <admin_username> -pwd <new_password>
Replace <admin_username> with the admin username (default is admin) and <new_password> with the new password you want to set.
For Linux:
/opt/symantec/endpoint-protection-manager).java -classpath ".:lib/*" com.symantec.sepm.adminui.AdminConsole -resetpwd -admin <admin_username> -pwd <new_password>
Replace <admin_username> with the admin username (default is admin) and <new_password> with the new password you want to set.
Re-login to SEPM Console
After resetting the admin password, re-login to the SEPM console using the new password. Make sure to update any password records or authentication configurations to reflect the new password.
Resetting Your Symantec Endpoint Protection Manager (SEPM) Admin Password
If you have lost access to your Symantec Endpoint Protection Manager (SEPM) console, you can regain entry using several methods depending on your environment's configuration. The most common solution involves using a built-in batch script on the management server. Method 1: Using the resetpass.bat Tool (Recommended)
This tool is included in your SEPM installation and resets the administrator credentials to their default values.
Access the Server: Log into the physical or virtual machine where Symantec Endpoint Protection Manager is installed.
Locate the Tool: Open Windows Explorer and navigate to the following directory:
64-bit systems: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
32-bit systems: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools
Run the Script: Right-click resetpass.bat and select Run as Administrator.
Log In: Wait approximately 10 minutes for the change to take effect. Then, log in with the following default credentials: Username: admin Password: admin
Update Security: You will be prompted to change this temporary password immediately. Ensure your new password meets current complexity requirements (typically 8–16 characters, including uppercase, lowercase, numbers, and special characters). Method 2: Using the "Forgot Your Password?" Link
If your SEPM is configured with a working SMTP mail server, you can use the built-in recovery link. On the SEPM logon screen, click Forgot your password?. Enter the username for the account you wish to reset.
Check your email for a temporary password and activation link.
Troubleshooting: If you don't receive the email, you may need to check the mailConfig.properties file located in the \tomcat\etc\ folder to verify your SMTP settings. Method 3: Advanced Recovery via Log Files
If you cannot receive emails but have access to the server's file system, you can sometimes extract the reset link directly from the system logs. symantec endpoint protection manager reset admin password
Enable Debugging: Edit the conf.properties file in ...\Tomcat\etc and set scm.log.loglevel=FINEST and scm.mail.troubleshoot=1.
Restart Service: Restart the Symantec Endpoint Protection Manager service via services.msc.
Extract Link: Trigger the "Forgot Password" request again, then check the stdout-0.log file in the \tomcat\logs\ directory for a phrase like "PasswordServlet." The reset URL should be listed there.
For official technical documentation, visit the Broadcom Support Portal or review troubleshooting tips on the Broadcom Community forums.
To reset the Administrator password for Symantec Endpoint Protection Manager (SEPM), you use the built-in ResetPass.bat utility located in the installation directory.
Note: This procedure only works for the default "admin" username. If you created a custom administrator username and forgot it, you must log in with another administrator account to reset it, or reinstall the management server.
Here is the step-by-step guide.
Step 1: Install a Fresh SEPM Install the exact same version of SEPM on a new server (or the same server after an OS reinstall). Use the same installation path if possible.
Step 2: Stop the New SEPM Services Stop the SEPM Manager service on the new installation.
Step 3: Replace the Database
db folder.sem5.db file.sem5.db file from your backup into this folder.Step 4: Run the Configuration Wizard
admin password, you will hit a wall because you don't know it. However, you can now run Method 1 (resetpass.bat) on this "recovered" installation, as the database is intact but the password hash is now writable.Step 5: Reset via Method 1
Run resetpass.bat on the new server. Because the database is a clone of your old one, the script will successfully reset the password.
dbisql.com, which is found in the SEPM installation /ASA/win32 or /ASA/win64 folder.Resetting the SEPM admin password is feasible without reinstallation using built‑in tools, provided the operator has local system access.
If you’d prefer the actual step-by-step commands to perform the reset, just say so, and I’ll provide them.
To reset a forgotten administrator password for Symantec Endpoint Protection Manager (SEPM), you can use the built-in "Forgot your password?" link on the logon screen or a command-line tool located on the management server. Method 1: Using the Logon Screen
This is the standard method if you have previously configured an email server in SEPM. Broadcom TechDocs Launch SEPM : Open the management server logon screen. Request Reset : Click the Forgot your password? Enter Credentials
: Provide the user name and domain (leave blank if not using domains) for the account. Check Email Temporary Password to receive an activation link via email. Update Password
: Log in using the temporary credentials and change them immediately. Broadcom TechDocs Method 2: Using the resetpass.bat Tool
If email is not configured or the system is in an isolated environment, you can use a batch file to reset the password to the default "admin". Broadcom Community
To reset the administrator password for Symantec Endpoint Protection Manager (SEPM), you can use the built-in password reset tool or the command-line interface, depending on your version and access level. Reset via ResetPassword.bat (Recommended)
This is the standard method for most versions. It generates a temporary password that you must change upon login.
Navigate to the Tools folder: Open File Explorer on the SEPM server and go to:C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools Run the script: Double-click ResetPassword.bat.
Authentication: A command window will prompt for confirmation. Once completed, it will display a message stating the password has been reset to admin. Log in and Update: Open the SEPM console. Log in with username admin and password admin.
You will be prompted immediately to create a new, secure password. Reset via Command Line (Alternative)
If you prefer using the command line or the .bat file is missing, you can use the reset-password.exe utility.
Path: ..\Symantec Endpoint Protection Manager\bin\reset-password.exe
Command: Run the executable as an Administrator. This follows the same logic as the batch file, reverting the admin account to its default credentials. Troubleshooting and Limitations
Database Connectivity: The reset tool requires a connection to the SEPM database. If the database service is stopped, the reset will fail.
Account Locking: If the account is locked due to too many failed attempts, the reset script typically unlocks it while resetting the password.
FIPS Mode: If SEPM is running in FIPS-compliant mode, ensure you are using the specific tools provided in the FIPS subdirectories.
Comprehensive Guide to Resetting the Symantec Endpoint Protection Manager (SEPM) Admin Password
Losing access to your Symantec Endpoint Protection Manager (SEPM) console can halt critical security updates and leave your network vulnerable. Whether you’ve forgotten the administrator credentials or are dealing with a lockout, there are two primary methods to regain control: using the built-in password reset tool or the "Forgot Password" email feature. 1. The resetpass.bat Utility (Local Server Access)
If you have physical or remote desktop access to the Windows server running SEPM, the fastest way to recover is using the bundled resetpass.bat script. This utility resets the "admin" account password back to the factory default. Step 1: Log in to the management server computer.
Step 2: Open Windows Explorer and navigate to the SEPM installation directory. The default path is usually:C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools.
Step 3: Locate and double-click the file named resetpass.bat.
Step 4: A command prompt window will briefly appear, confirming that the password has been reset to admin.
Step 5: Launch the SEPM console and log in with the username admin and the password admin.
Critical Action: You must change the password immediately upon logging in to secure the console. 2. The "Forgot Password" Feature (Email Recovery)
If you cannot access the server directly but have configured an email server (SMTP) within SEPM, you can request a temporary password. Step 1: Open the SEPM Login console. Step 2: Click the Forgot your password? link.
Step 3: Enter your username and the email address associated with the account. Log in to the SEPM console : Open
Step 4: Check your inbox for an email containing a Temporary Password.
Step 5: Log in using the temporary credentials and update your password immediately. 3. Troubleshooting Common Login Issues
If neither method works, consider these common pitfalls documented by Broadcom Tech Docs:
Account Lockout: SEPM may lock an account after multiple failed attempts. Wait for the lockout period to expire (usually 15-30 minutes) before trying again.
Database Connectivity: If the password reset tool fails, ensure the SEPM database service is running.
Permissions: Ensure you are running the resetpass.bat file with Administrator privileges on the server. Security Best Practices To avoid future lockouts, it is recommended to:
Configure SMTP: Always set up a mail server in SEPM so the "Forgot Password" feature is functional.
Multiple Admins: Create at least one secondary administrator account for emergency access.
Documentation: Securely store the SEPM "admin" credentials in a company-approved password manager.
For further technical support, you can visit the Broadcom Support Portal or the Symantec Enterprise Community.
Before attempting to reset the admin password, it is crucial to ensure that you have the necessary permissions and access rights to perform the operation. Additionally, taking a backup of the SEPM database and configuration is highly recommended. This precautionary measure ensures that in case anything goes wrong during the password reset process, you can restore the system to its previous state without data loss.
Resetting the admin password in Symantec Endpoint Protection Manager can be achieved through the console, direct database modification, or command-line tools. The choice of method depends on the access level you have and the specific situation. Regardless of the method chosen, caution is advised to prevent loss of data or system instability. Regular backups and adherence to security best practices can mitigate the risks associated with password resets and maintain the integrity of your SEPM environment.
It was 2:00 AM, and the only thing louder than the hum of the server room was the sound of Mark’s own heartbeat.
Mark, the lead systems admin for a mid-sized firm, had just spent four hours trying to mitigate a lateral movement threat. He’d locked down the network, but when he went to log into the Symantec Endpoint Protection Manager (SEPM)
to push a global policy update, the unthinkable happened: "Invalid Username or Password."
He tried his "safe" password. He tried the legacy one. He even tried the one scribbled on a sticky note hidden under the server rack from three years ago. Nothing. The former admin hadn't just left the company; he’d left a digital fortress with the drawbridge pulled up.
Sweat beaded on Mark's forehead. Without SEPM access, the infected endpoints were essentially "dark."
He opened a terminal window on the management server. He knew the drill, but the pressure made his fingers feel like lead. He navigated deep into the directory:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\ There it was. The ResetPassword.bat
file. It felt like finding a skeleton key in a haunted house.
He double-clicked. A command prompt flickered to life, demanding a new identity for the 'admin' account. He typed a complex string—half frustration, half hope—and hit Enter. The cursor blinked, a silent judge of his fate. “Password changed successfully.”
Mark didn't cheer. He breathed. He navigated back to the console, entered the new credentials, and watched as the dashboard bloomed into green health status circles. The drawbridge was down. The network was his again. If you'd like to turn this story into a step-by-step guide , let me know: SEPM version (14.x is the most common) If you have access to the server's OS (Windows or Linux) I can give you the exact commands to get back in.
To reset your Symantec Endpoint Protection Manager (SEPM) admin password, you can use the built-in "Forgot your password?" feature or the resetpass.bat command-line tool. These methods ensure you can regain access to your management console even if you have lost your credentials or are locked out. Method 1: Using the "Forgot Your Password" Link
This is the standard recovery method if your SEPM environment is configured with an email server.
Launch the Console: Open the SEPM logon screen on your management server. Request Reset: Click the Forgot your password? link.
Enter Account Details: In the dialog box, type the user name for the account you need to reset. For domain administrators, include the domain name. For local accounts, leave the domain field blank.
Receive Email: Click Temporary Password. You will receive an email containing a link to activate a temporary password.
Update Password: Log in with the temporary password and change it immediately. Method 2: Using the resetpass.bat Tool
If you do not have an email server configured or are in an isolated environment, use the command-line utility located on the server.
Locate the Tool: Open Windows Explorer on the SEPM server and navigate to the Tools folder.
64-bit Systems: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools.
32-bit Systems: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools.
Run as Administrator: Right-click Command Prompt and select Run as administrator, then navigate to the directory above using the cd command. Execute Reset: Type resetpass.bat and press Enter.
Wait and Login: Wait approximately 10 minutes for the reset to take effect.
Default Credentials: Log in using the following default credentials: Username: admin Password: admin
Secure the Account: You will be prompted to change the password immediately upon logging in. Advanced Recovery: Troubleshooting the Reset Email
If the "Forgot your password?" link doesn't send an email, you can force the system to reveal the reset link in its internal logs.
Stop the SEPM Service: Use Services.msc to stop the Symantec Endpoint Protection Manager service.
Enable Debug Logging: Edit the conf.properties file (located in ...\Tomcat\etc) and set scm.log.loglevel=FINEST and append scm.mail.troubleshoot=1.
Restart and Capture: Start the service again and request the password reset. Method 2: Reset Admin Password using SQL Database
Find the Link: Open the stdout-0.log file in the ...\tomcat\logs\ folder and search for "PasswordServlet" to find the generated reset URL.
To reset the administrator password for Symantec Endpoint Protection Manager (SEPM), you can use the built-in "Forgot your password?" link or run a manual reset script on the management server Broadcom TechDocs Option 1: Using the "Forgot Password" Link
This is the standard method if you have configured an email server (SMTP) in SEPM. Broadcom Community Launch the Symantec Endpoint Protection Manager Forgot your password? link on the logon screen.
(and Domain Name, if applicable) for the account you need to reset. Temporary Password
Check the administrator's email for a link to activate the temporary password. If you aren't receiving the email, you can check the stdout-0.log
file on the SEPM server to find the password reset link manually. Broadcom TechDocs Option 2: Using the resetpass.bat
To reset the Symantec Endpoint Protection Manager (SEPM) administrator password, you can use the built-in "Forgot your password?" link on the logon screen or the resetpass.bat tool located on the management server. Method 1: Console "Forgot your password?" Link
This is the standard recovery method if an email server is configured for your management console. Open the Symantec Endpoint Protection Manager logon screen. Click the Forgot your password? link. Enter the user name for the account you need to reset.
Click Temporary Password. A reset link will be sent to the administrator's registered email address.
Follow the link in the email to activate a temporary password and log in immediately to set a permanent one. Method 2: resetpass.bat Tool (Command Line)
If you cannot receive emails or are locked out entirely, you can manually reset the primary admin account using a batch script on the SEPM server. Default File Location:
64-bit systems: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\
32-bit systems: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools\ Reset Procedure: Open a Command Prompt as an administrator. Navigate to the Tools folder using the cd command. Run the resetpass.bat file.
The administrator username and password will both be reset to admin.
Log in with these credentials and change the password immediately. Troubleshooting Locked Accounts
To reset the admin password for Symantec Endpoint Protection Manager (SEPM)
, you can use the built-in self-service link or a command-line tool depending on your access and version. 1. "Forgot Your Password?" Link (Recommended)
If you have a configured mail server, this is the official way to regain access. Broadcom TechDocs Access the Link:
On the management server, open the SEPM logon screen and click Forgot your password? Submit Details:
Enter your username (and domain if applicable) in the dialog box and click Temporary Password Email Reset:
You will receive an email with a link to activate a temporary password, which must be changed immediately after logging in. Broadcom TechDocs resetpass.bat
If you cannot use the email method, you can use a local batch file on the management server to reset the account. Broadcom Community Navigate to the folder in the SEPM installation directory: 64-bit default:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools 32-bit default:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools Execution:
Run a Command Prompt as administrator, navigate to this folder, and execute resetpass.bat Both the username and password will be reset to
This tool is natively present in older versions (like 12.1 and lower); for newer versions, you may need to obtain it from Symantec Technical Support or recreate it manually if you have the script contents. Broadcom Community 3. Log Retrieval (Isolated Environments)
If the server is in an isolated environment without email access, you can sometimes find the reset link in the server logs: Broadcom support portal Enable troubleshoot logging by editing conf.properties Tomcat\etc scm.mail.troubleshoot=1 to the file and restart the SEPM service. Request a password reset via the console, then check stdout-0.log tomcat\logs folder for the PasswordServlet entry containing the reset link. Broadcom support portal resetpass.bat file to try creating it manually on your server?
Title: The 3:00 AM Cipher
Context: Marta was the sole security administrator for a mid-sized logistics firm. The SEPM console hadn’t been opened in six months because the environment was “set and forget.” That changed at 3:00 AM when a compliance audit alert fired, requiring immediate access to the policy logs. Marta typed in her credentials: Access Denied. She tried the fallback service account: Access Denied. Her heart rate spiked. The previous admin had left the company two years ago, and the password vault was last updated in 2018.
The Procedure (The Story):
Marta knew there was no “Forgot Password?” link on the SEPM login page for a reason. Symantec designed the manager to treat a lost admin password as a potential security breach. She pulled up the archived documentation.
Step 1: The Server Room She walked to the isolated Windows Server 2019 machine hosting the SEPM. She logged into the operating system using local admin credentials—the one password she did have. She stopped the "Symantec Endpoint Protection Manager" service. The console went dark.
Step 2: The Embedded Database Gambit
Her firm used the embedded database (a stripped-down Sybase SQL Anywhere). Unlike an external SQL server, this required a different brute-force method. She navigated to the installation directory:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32
She found the utility dbisql.com (Interactive SQL utility). She launched it and connected to the sem5 database using the embedded credentials she found in a long-forgotten .conf file: dba / sql.
Step 3: The Hash Heist Inside the database, she ran the dangerous query:
SELECT USER_NAME, PASSWORD FROM SEM_USER;
The output showed her username: admin. The password field wasn't plain text. It was a salted SHA-1 hash. She couldn't reverse it, but she didn't need to. She just needed to overwrite it.
Step 4: The Factory Reset She generated a hash for a known temporary password ("TempReset123!") using a Python script that mimicked Symantec’s exact salting method (salt + SHA1). She then ran the update command:
UPDATE SEM_USER SET PASSWORD = '[new_hash]' WHERE USER_NAME = 'admin';
COMMIT;
She closed dbisql, started the SEPM service, and held her breath.
The Aftermath
She opened the web console. admin / TempReset123!. Access Granted.
She immediately navigated to Admins > Reset Password and enforced a new complex password, storing it in the vault herself. She then checked the audit log. No other changes were made. The compliance alert was resolved by 3:47 AM.
The Lesson Marta learned:
If she had been using an external Microsoft SQL database, the process would have required opening SQL Server Management Studio and running an even more arcane stored procedure: exec dbo.sp_reset_admin_password 'admin', 'NewPlainTextPass123!'. But in the chaos of 3:00 AM, the embedded database’s raw SQL access had saved her job.
She made a mental note to configure the SMPT recovery email feature tomorrow. There is always a backdoor in enterprise software—it's just usually made of SQL and desperation.
sem5.db file but no knowledge of the old password.