Comprehensive Guide to Resetting the Symantec Endpoint Protection Manager (SEPM) Admin Password
Losing access to your Symantec Endpoint Protection Manager (SEPM) console can halt critical security updates and leave your network vulnerable. Whether you’ve forgotten the administrator credentials or are dealing with a lockout, there are two primary methods to regain control: using the built-in password reset tool or the "Forgot Password" email feature. 1. The resetpass.bat Utility (Local Server Access)
If you have physical or remote desktop access to the Windows server running SEPM, the fastest way to recover is using the bundled resetpass.bat script. This utility resets the "admin" account password back to the factory default. Step 1: Log in to the management server computer.
Step 2: Open Windows Explorer and navigate to the SEPM installation directory. The default path is usually:C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools.
Step 3: Locate and double-click the file named resetpass.bat.
Step 4: A command prompt window will briefly appear, confirming that the password has been reset to admin.
Step 5: Launch the SEPM console and log in with the username admin and the password admin.
Critical Action: You must change the password immediately upon logging in to secure the console. 2. The "Forgot Password" Feature (Email Recovery)
If you cannot access the server directly but have configured an email server (SMTP) within SEPM, you can request a temporary password. Step 1: Open the SEPM Login console. Step 2: Click the Forgot your password? link.
Step 3: Enter your username and the email address associated with the account.
Step 4: Check your inbox for an email containing a Temporary Password.
Step 5: Log in using the temporary credentials and update your password immediately. 3. Troubleshooting Common Login Issues
If neither method works, consider these common pitfalls documented by Broadcom Tech Docs:
Account Lockout: SEPM may lock an account after multiple failed attempts. Wait for the lockout period to expire (usually 15-30 minutes) before trying again.
Database Connectivity: If the password reset tool fails, ensure the SEPM database service is running.
Permissions: Ensure you are running the resetpass.bat file with Administrator privileges on the server. Security Best Practices To avoid future lockouts, it is recommended to:
Configure SMTP: Always set up a mail server in SEPM so the "Forgot Password" feature is functional.
Multiple Admins: Create at least one secondary administrator account for emergency access.
Documentation: Securely store the SEPM "admin" credentials in a company-approved password manager.
For further technical support, you can visit the Broadcom Support Portal or the Symantec Enterprise Community.
Method 1: Reset Admin Password using the SEPM Console
https://<SEPM_SERVER>:<PORT>/sepm (replace <SEPM_SERVER> with the hostname or IP address of your SEPM server and <PORT> with the port number, default is 8443).Method 2: Reset Admin Password using SQL Database
If you are unable to access the SEPM console or if the above method does not work, you can reset the admin password by updating the SQL database directly.
For Microsoft SQL Server:
smdb) from the list of available databases.UPDATE tbl_SEP_Users SET pwd = 'new_password' WHERE uid = 'admin_username'
Replace new_password with the new password you want to set and admin_username with the admin username (default is admin).
For Oracle Database:
SMDB) from the list of available schemas.UPDATE sep_users SET pwd = 'new_password' WHERE uid = 'admin_username'
Replace new_password with the new password you want to set and admin_username with the admin username (default is admin). symantec endpoint protection manager reset admin password
Method 3: Reset Admin Password using Command Line
You can also reset the admin password using the command line.
For Windows:
C:\Program Files\Symantec\Endpoint Protection Manager).java -classpath ".;lib/*" com.symantec.sepm.adminui.AdminConsole -resetpwd -admin <admin_username> -pwd <new_password>
Replace <admin_username> with the admin username (default is admin) and <new_password> with the new password you want to set.
For Linux:
/opt/symantec/endpoint-protection-manager).java -classpath ".:lib/*" com.symantec.sepm.adminui.AdminConsole -resetpwd -admin <admin_username> -pwd <new_password>
Replace <admin_username> with the admin username (default is admin) and <new_password> with the new password you want to set.
Re-login to SEPM Console
After resetting the admin password, re-login to the SEPM console using the new password. Make sure to update any password records or authentication configurations to reflect the new password.
It was 2:00 AM, and the only thing louder than the hum of the server room was the sound of Mark’s own heartbeat.
Mark, the lead systems admin for a mid-sized firm, had just spent four hours trying to mitigate a lateral movement threat. He’d locked down the network, but when he went to log into the Symantec Endpoint Protection Manager (SEPM)
to push a global policy update, the unthinkable happened: "Invalid Username or Password."
He tried his "safe" password. He tried the legacy one. He even tried the one scribbled on a sticky note hidden under the server rack from three years ago. Nothing. The former admin hadn't just left the company; he’d left a digital fortress with the drawbridge pulled up.
Sweat beaded on Mark's forehead. Without SEPM access, the infected endpoints were essentially "dark."
He opened a terminal window on the management server. He knew the drill, but the pressure made his fingers feel like lead. He navigated deep into the directory:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\ There it was. The ResetPassword.bat
file. It felt like finding a skeleton key in a haunted house.
He double-clicked. A command prompt flickered to life, demanding a new identity for the 'admin' account. He typed a complex string—half frustration, half hope—and hit Enter. The cursor blinked, a silent judge of his fate. “Password changed successfully.”
Mark didn't cheer. He breathed. He navigated back to the console, entered the new credentials, and watched as the dashboard bloomed into green health status circles. The drawbridge was down. The network was his again. If you'd like to turn this story into a step-by-step guide , let me know: SEPM version (14.x is the most common) If you have access to the server's OS (Windows or Linux) I can give you the exact commands to get back in.
Resetting the Admin Password in Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager (SEPM) is a comprehensive security solution that provides protection against various types of threats to computers and networks. As with any management console, access to SEPM is controlled through user accounts, with the administrator account holding the highest level of privilege. However, there are instances where the admin password might be forgotten or compromised, necessitating a reset. This essay outlines the steps and considerations involved in resetting the admin password in Symantec Endpoint Protection Manager.
resetpass.bat / resetpass.sh Utilityresetpass.bat (Windows) or resetpass.sh (Linux) from the Tools folderadmin account passwordForgetting the admin password for Symantec Endpoint Protection Manager feels like a crisis, but as you have seen, it is a recoverable situation.
resetpass.bat) – it is fast, official, and effective for most users.Once you regain access, immediately create a secondary admin account and schedule automated configuration backups. Your future self (or your successor) will thank you.
Final Pro Tip: Print this guide (or save it as a PDF) and store it in an envelope inside your server room. When the network is down and the console is locked, you won't be searching Google for "Symantec endpoint protection manager reset admin password" – you will already have the answer in hand.
Disclaimer: The SQL hash provided in this article (symantec) is publicly documented by Broadcom for emergency recovery purposes. Always change this password immediately after recovery and audit your logs for unauthorized access during the recovery window.
Title: The 3:00 AM Cipher
Context: Marta was the sole security administrator for a mid-sized logistics firm. The SEPM console hadn’t been opened in six months because the environment was “set and forget.” That changed at 3:00 AM when a compliance audit alert fired, requiring immediate access to the policy logs. Marta typed in her credentials: Access Denied. She tried the fallback service account: Access Denied. Her heart rate spiked. The previous admin had left the company two years ago, and the password vault was last updated in 2018. Log in to the SEPM console : Open
The Procedure (The Story):
Marta knew there was no “Forgot Password?” link on the SEPM login page for a reason. Symantec designed the manager to treat a lost admin password as a potential security breach. She pulled up the archived documentation.
Step 1: The Server Room She walked to the isolated Windows Server 2019 machine hosting the SEPM. She logged into the operating system using local admin credentials—the one password she did have. She stopped the "Symantec Endpoint Protection Manager" service. The console went dark.
Step 2: The Embedded Database Gambit
Her firm used the embedded database (a stripped-down Sybase SQL Anywhere). Unlike an external SQL server, this required a different brute-force method. She navigated to the installation directory:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32
She found the utility dbisql.com (Interactive SQL utility). She launched it and connected to the sem5 database using the embedded credentials she found in a long-forgotten .conf file: dba / sql.
Step 3: The Hash Heist Inside the database, she ran the dangerous query:
SELECT USER_NAME, PASSWORD FROM SEM_USER;
The output showed her username: admin. The password field wasn't plain text. It was a salted SHA-1 hash. She couldn't reverse it, but she didn't need to. She just needed to overwrite it.
Step 4: The Factory Reset She generated a hash for a known temporary password ("TempReset123!") using a Python script that mimicked Symantec’s exact salting method (salt + SHA1). She then ran the update command:
UPDATE SEM_USER SET PASSWORD = '[new_hash]' WHERE USER_NAME = 'admin';
COMMIT;
She closed dbisql, started the SEPM service, and held her breath.
The Aftermath
She opened the web console. admin / TempReset123!. Access Granted.
She immediately navigated to Admins > Reset Password and enforced a new complex password, storing it in the vault herself. She then checked the audit log. No other changes were made. The compliance alert was resolved by 3:47 AM.
The Lesson Marta learned:
If she had been using an external Microsoft SQL database, the process would have required opening SQL Server Management Studio and running an even more arcane stored procedure: exec dbo.sp_reset_admin_password 'admin', 'NewPlainTextPass123!'. But in the chaos of 3:00 AM, the embedded database’s raw SQL access had saved her job.
She made a mental note to configure the SMPT recovery email feature tomorrow. There is always a backdoor in enterprise software—it's just usually made of SQL and desperation.
Forgetting the administrator password for Symantec Endpoint Protection Manager (SEPM) can feel like being locked out of your own high-security vault. Fortunately, Symantec provides built-in "emergency keys" to regain entry. 1. The Standard "Forgot Your Password?" Link
If you have configured a working email server (SMTP) in your SEPM settings, this is your quickest route.
The Action: On the SEPM logon screen, click Forgot your password?.
The Result: Type your username and click Temporary Password. An email will be sent with a reset link.
Catch-22: This only works if your SMTP relay and recovery email were set up before you lost access. 2. The Power Move: resetpass.bat
In isolated environments or cases where email isn't configured, Symantec provides a specific batch script located directly on the management server.
Location: Navigate to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools. The Execution: Open a Command Prompt as Administrator. Run resetpass.bat.
The Reset: This script forcefully reverts the admin account name and password to the default: admin / admin.
Pro Tip: You must change this default password immediately after logging back in for security compliance. 3. The "Deep Log" Extraction (Advanced)
If you’ve requested a reset email but it never arrives (common in restrictive networks), you can sometimes "catch" the link from the server's own logs.
The Trick: Increase the SEPM loglevel to FINEST in the conf.properties file and add scm.mail.troubleshoot=1.
The Find: After restarting the service and requesting the password again, search the stdout-0.log file for the phrase "PasswordServlet". The actual reset URL is often hidden right there in the text. 4. Important Constraints to Remember
If you need to reset the Symantec Endpoint Protection Manager (SEPM) Method 2: Reset Admin Password using SQL Database
admin password, the process is straightforward but requires access to the management server's file system. Password Reset Methods According to technical documentation from , there are two primary ways to handle this: resetpass.bat
: This is the most common "local" fix if you are locked out. Navigate to the folder in your SEPM installation directory (usually
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools resetpass.bat This resets the default account password to : Log in immediately and change this to a secure password. The "Forgot Password" Link
: If your SEPM is configured with an email server, you can use the link on the login console. Enter your username and click Forgot Password
A temporary password will be sent to the administrator's email address on file. Broadcom Community Common Troubleshooting Account Lockouts
: If the account is locked due to too many failed attempts, running resetpass.bat will also typically unlock it. Console Access
: You must perform the batch file reset directly on the computer running the SEPM software. Configuration Wizard : If the batch file fails, some users perform a Broadcom Knowledge Base
through the Control Panel to trigger the Management Server Configuration Wizard, which allows for re-configuring the admin credentials. Broadcom Community
If you're having trouble locating the installation directory or if the batch file isn't working,
would you like help troubleshooting your specific SEPM version or server setup? How can I unlock my admin user? | Endpoint Protection
To reset the Symantec Endpoint Protection Manager (SEPM) administrator password, you can use the built-in "Forgot your password?" link on the logon screen or the resetpass.bat tool located on the management server. Method 1: Console "Forgot your password?" Link
This is the standard recovery method if an email server is configured for your management console. Open the Symantec Endpoint Protection Manager logon screen. Click the Forgot your password? link. Enter the user name for the account you need to reset.
Click Temporary Password. A reset link will be sent to the administrator's registered email address.
Follow the link in the email to activate a temporary password and log in immediately to set a permanent one. Method 2: resetpass.bat Tool (Command Line)
If you cannot receive emails or are locked out entirely, you can manually reset the primary admin account using a batch script on the SEPM server. Default File Location:
64-bit systems: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\
32-bit systems: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools\ Reset Procedure: Open a Command Prompt as an administrator. Navigate to the Tools folder using the cd command. Run the resetpass.bat file.
The administrator username and password will both be reset to admin.
Log in with these credentials and change the password immediately. Troubleshooting Locked Accounts
The feature you are asking about — resetting the admin password in Symantec Endpoint Protection Manager (SEPM) — is typically accomplished through a built-in password recovery mechanism or a manual database reset process, depending on your access level and setup.
Here are the two primary features available for resetting the SEPM admin password:
To avoid needing another Symantec Endpoint Protection Manager reset admin password in the future:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32\
dbisql:
dbisql -c "UID=dba;PWD=sql;DBF=C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\db\sem5.db"
sql. If changed, you’ll need the correct one.)UPDATE SEM5.USER_LIST SET USER_PASSWORD = '5f4dcc3b5aa765d61d8327deb882cf99' WHERE USER_NAME = 'admin';
COMMIT;
5f4dcc3b5aa765d61d8327deb882cf99 is an MD5 hash of the word password. This sets the admin password to password (lowercase).admin / password. Change it immediately via the console.Always ensure you have a recent backup of your SEPM database before making significant changes. If you're uncomfortable performing these steps or if issues arise, consider contacting Symantec technical support for assistance.
By following these steps, you should be able to reset the admin password for your Symantec Endpoint Protection Manager.
If password recovery was enabled during installation or by a previous admin, the SEPM web console includes a self-service password reset feature.
<SEPM_Server>:8443/sepm).