Severe problem: admin account lost

former_member38077 · ‎10-26-2010

Hi all,

I am supporting a system (SAP BW 3.5) for which I am the last one who is doing any developments. Now I have got a problem: I locked my account on the development box, but there isn't anybody who is able to unlock.

I tried already the standard accounts like SAP*, DDIC but in vain.

Anybody an idea what I can do?

Thanks, Thomas

Edited by: Thomas Rohmann on Oct 26, 2010 4:18 PM

sdipanjan · ‎10-26-2010

Hi,

The ID can only be unlocked by accessing it with another Dialog /Service user id in the same system. Another option would be to do a remote login with RFC from other system and then unlock your id. But for that the CPIC / RICEF / ALEREMOTE id should have Security Admin access in this system.

Please try to ask some of your Admin colleague who can have password of SAP* or DDIC or such Super User id to unlock it if they don't have the access in their own id.

Regards,

Dipanjan

Former Member · ‎10-26-2010

Hi,

If you were not successful logging in thru a super ID such as SAP*/DDIC, an alternative is to get the password reset at the database level. Below is the SQL statement:

Delete from usr02 where bname = 'SAP*' and mandt = '<client #>;

Replace client # with the actual client number in which you wish to delete the SAP* ID. The SAP* ID is available in the SAP Code and when it is deleted from the USR02 table, the ID which is in the code with the default password will be active, which allows you to login and unlock your ID.

However, ensure that you change the password for SAP* immediately.

If you remember the password for your user ID, you can get it unlocked with the below statement:

update sap<SID>.user02 set uflag=0 where bname='userid' and mandt='<clientno>';

Rgds,

Raghu

sdipanjan · ‎10-26-2010

>


> Hi,
> 
> If you were not successful logging in thru a super ID such as SAP*/DDIC, an alternative is to get the password reset at the database level. Below is the SQL statement:
> 
> Delete from usr02 where bname = 'SAP*' and mandt = '<client #>;
> 
> Replace client # with the actual client number in which you wish to delete the SAP* ID. The SAP* ID is available in the SAP Code and when it is deleted from the USR02 table, the ID which is in the code with the default password will be active, which allows you to login and unlock your ID.
> 
> However, ensure that you change the password for SAP* immediately.
> 
> If you remember the password for your user ID, you can get it unlocked with the below statement:
> 
> update sap<SID>.user02 set uflag=0 where bname='userid' and mandt='<clientno>';
> 
> Rgds,
> Raghu

Is this really a Good suggestion to a Non-Admin user? If anyone who forgets his password is going to follow this way then what kind of security & control we are consulting?

Regards,

Dipanjan

Former Member · ‎10-26-2010

It might actually be a really, really good idea!

We can email the instructions to all our users incase they forget their password or lock themselves - it'll save us hours of password reset/unlock admin!!!!

Now for MM tcode to delete all material masters - sure we don't need all those in PROD

Cheers

David

P.S. ...only kidding but very clever answer

martin_voros · ‎10-26-2010

Hi,

do you have access to any account which can change values in debugger? If yes then you should be able to unlock your user with this account by overcoming authorization checks in debugger. Otherwise direct access to DB or recovering SAP* sounds like only way for you. After you are successful you should create an emergency user with password store in safe for this type of situations.

Cheers

Former Member · ‎10-26-2010

Hi

I don't agree with creating a backup user with a stored password.

The SAP* recovery is the correct one as shown to me by somebody I would trust explicitely in Security ( hi JC ) it's just should this level of knowledge go out to such a wide community.

I have to admit to not knowing how to use this pixie dust stuff and will avoid it unless pushed into a really bad place

JC wrote parameter login/no_automatic_user_sapstar has been set to a value greater than 0, it will prevent the automatic regen of the user.

The rest is too techie

This all goes over my head

Cheers David

Is this thread risky to any business?

Edited by: David Berry on Oct 26, 2010 8:52 PM

martin_voros · ‎10-26-2010

Hi,

I agree with recommendation that you should never use SAP* account. Instead you should create another account with SAP_ALL and use this account only in emergencies with administrators. I understand why SAP implemented SAP* recovery. The problem is that you need to restart your servers to modify profile parameter and smart users will notice With backup account you just need to speak with guy who is responsible for it and get it from him.

This knowledge is already out there. Just search and you will get many results for SAP* forgotten password. If anybody has direct access to DB then you can throw away all your authorization. That user is god and can do whatever she wants.

Cheers

Former Member · ‎10-26-2010

>


> Cheers David
> Is this thread risky to any business?
> 
> Edited by: David Berry on Oct 26, 2010 8:52 PM

Nah, this stuff has been abused & then shared by SAP bods the world over.....

If a company lets "normal" users anywhere near being able to delete lines at DB level then they deserve whatever they get.

Former Member · ‎10-26-2010

Thanks Alex

Good to know.

Cheers

David

Former Member · ‎10-26-2010

Hi

My 'gut feeling' is still to say no to a backup user with a password known by somebody. Sorry, but it's like creating a FF ID and keeping the password just in case.

I'm probably way off base but I just don't like a user (whoever it may be) having such an access and with access that could be abused

Cheers

David

My tuppence worth

Former Member · ‎10-26-2010

Duplicate posting to multiple forums looking for hacks and not even following up on your posts is not acceptable forum netiquette....

Now you are locked out of here as well. Next time your user ID will be deleted and you are not SAP* ...

Thread locked.