cancel
Showing results for 
Search instead for 
Did you mean: 

Reseting administrator, SIDadm & sap service user password

Former Member
0 Kudos

Hi all,

We need to reset the windows administrator password, <SID>adm password and service user password. I am searching for some SAP note showing the possibilities, conflicts and also any changes to be done after resetting the password. please help, also any suggestions about it ?

Regards,

Prakaash

Accepted Solutions (1)

Accepted Solutions (1)

former_member182034
Active Contributor
0 Kudos

hi Prakaash,

Please go through the following link. It might be helpful.

Changing Passwords of the SAP System Users

Regards,

Former Member
0 Kudos

Hi Abdul,

Thanks for your link. I find it very helpful.

Kindly suggest me , if I have to do any other post activities after changing the password, in addition to changing the password in sap service level.

Thanks and Regards,

Prakaash

former_member182034
Active Contributor
0 Kudos

hi Prakaash,

Please have a look at below link.

SAPService<SAPSID>

Regards,

Answers (3)

Answers (3)

Former Member
0 Kudos

Hi,

sometimes I am wondering that basic windows administrative tasks are not known to the people working every day with the operating system.

You have several possibilities to change the password of a user:

  1. logon as this user, press CTRL+ALT+DEL and choose Change Password (in newer Windows Releases Change a password - also of other users)
  2. the command line tool net user (for help just type net help user in a command box)
  3. control panel - user accounts (only local users)
  4. control panel - administrativ tools - computer management - Local Users and Groups
  5. control panel - administrativ tools - Active Directory Users and Computers - right click on the user (only domain accounts)
  6. in Windows 8 or Windows Server 2012 using the powershell cmdlet Set-AdAccountPassword (only Domain Users)

After you changed the password of a users you need to perform following additional actions:

  • Stop all processes and services which are currently using this account
  • update the new password information in all Windows Services which are started using this account.
    This can be done by
    • Control Panel - Services | right click on the Service (SAPPRD_00 for example) - Properties - Log on Tab
    • sc.exe config <ServiceName> -obj ...
    • WMI
  • change the password for all Scheduled Task Jobs started with this user
  • change the password in all persistent and non-persistent Network Authentifications which where created by any user (net use * /u:<the_user_which_password_has_changed> or the appropriate Map Network option in the Windows Explorer
  • update any stored information using the account of the changed user in Windows Password Vault

This Actions have to be performed on every computer (of the domain)

  • which runs a Service using the changed account (domain accounts only)
  • which runs a Scheduled Task using the changed account (domain accounts only)
  • where other users have stored the credentials of this account for persistent UNC access or in password vault

After changing a password in such a complex scenario (specially when running in a domain) you often have the problem that this changed account is locked. The root cause of the locking is that there are login attempts using the old credentials which all will last in logon failures. If the logon attempts during a certain time are higher than a allowed number defined in Domain Policy (may be the default is something like 6 failure attempts in 30 Minutes) the account will be locked by the operating system for a certain time (defineable in the Group Policies of the domain).

The source of the account locks is very hard to identify. It may be:

  • starting services using the old credentials
  • Mapped Network drives of any user using the old credentials of the changed account
  • Any information stored in a users password vault using the old credentials
  • Terminal Sessions using the old credentials.

As you can see, it is less critical to change the password of a user not used for running services or scheduled tasks and not used by other users for accessing UNC paths.

Regards

Peter

csaba_goetz
Contributor
0 Kudos

Hello Prakaash,

Use CTRL+ALT+DELETE to change the password of users. This way the password of service definition of SAP Start Service (SAP<SID>_<NR>) will be changed as well.

Best regards,

Adam

Former Member
0 Kudos

no, this will not work at all:

  1. Changing a password this way only works for interactive users, SAPService<SID> does not have the right to logon as interactive user
  2. I can not imagine that this will change also the passwords for services, scheduled jobs, network connections. This was not the case in the past and I can remember certain scenarios (for example changing the password of a domain user, or change the password for a non-administrative user, which also runs a service, the change of a password of a service requires administrative rights) where this can not work at all.

Peter

csaba_goetz
Contributor
0 Kudos

Hallo Peter,

In this case could you please help prakaash muthusamy how to change the passwords correctly? This information would be very useful for others as well.

LG, Csaba

Former Member
0 Kudos

Hi all ,

Thanks for all your replies.

Hello Peter,

It would be very helpful if you could explain how to change the passwords. I need to change all the three passwords - administrator user, <SID>adm & sap service<SID>.

Thanks all

Prakaash

Former Member
0 Kudos

Prakaash,

You can change the passwords, but also make sure to update the password for any services that are starting with the users. The SAP services are likely started with sapservice<sid>. There may be other services started with windows admin. Also, check any batch jobs that run where password is entered.

maybe an issue if you have TREX: Note 1036078 - TREX 7.0/7.1:<SAPSID>adm/SAPService<SAPSID> password change

Of course, test in sandbox first.

bxiv
Active Contributor
0 Kudos

I would review the Windows services to verify which account starts SAP (typically SAPService<SID>), I would also ensure that your SQL server has the new passwords.