I’ve had a look at archive posts and it seems some folks have tried changing the manager account password and it went wrong and they fixed and some comment and opinion but no “right” process offered up.
I want to change the manager account password as the default password which it has been for some time is really, really bugging me as we are tightening up password/access controls across the org. When our E10 was setup the admin console settings and task agents were configured to use manager and the default password.
Rather than cause a space time continuum disruption by just changing the password of the account that the admin console is using to manage E10 and causing it to be inaccessible/unrecoverable i thought I would ask if there an accepted progress for changing the manager account password and indeed is it standard practice to not use the manager account for things like the task agent and admin console.
Ultimately I am going to test this on a sandbox server anyway but just looking for heads up to save wasting time disappearing down known rabbit holes.
If you have forgotten the “manager” password, there is this SQL Script which can be run to reset the password to be “manager”:
UPDATE Ice.SysUserFile
SET Password = ‘PdnCdntJTEbfFOoePs4QxV/nD4lndJGMFug64ojqiTYyVC75OYeQcA==’
WHERE UserID = ‘manager’;
UPDATE Erp.UserFile
SET PassWord = ‘PdnCdntJTEbfFOoePs4QxV/nD4lndJGMFug64ojqiTYyVC75OYeQcA==’
WHERE DcdUserID = ‘manager’;
UPDATE Ice.SysUserFile SET UserDisabled = 0 WHERE UserID = ‘manager’;
UPDATE Erp.UserFile SET UserDisabled = 0 WHERE DcdUserID = ‘manager’;
UPDATE Ice.SysUserFile SET PwdExpires = null WHERE UserID = ‘manager’;
UPDATE Erp.UserFile SET PwdExpires = null WHERE DcdUserID = ‘manager’;
I know the password and also how to reset. However the system as setup by Epicor is using the manager account to access things like the task agent and the admin console for any instance. From reading other folks posts where they have broken Epicor by just changing the password.
Being very specific should I change the task agent and admin console so that they do not use the manager account?
We have setup the print user like the guides suggest to run the task agent. We have changed the password from “manager” to something different during an upgrade process to increase security. Our latest installation/upgrade we have started using a specific domain account with a generated password to support the security enhancements for the primary application pool using windows binding. Our app pool for the task agent uses the print user that has been created. The connection for the client on the app pool configurations uses the manager account but with the changed password that is not “manager”.
James - I know this is a bit late, but I’ll add that we did exactly this for the task manager and any other app accessing epicor. We created an ‘epicorservice’ account in the AD and a ‘sysagent’ user inside E10 for the other apps and task agent, respectively.
We did change the manager password, but since the EAC is the only thing using it, we can change it at any time. And since the taskagent is tied to it’s own user, we can change it at any time as well.
Just like @MikeGross we create Service Accounts within Epicor, even for various External Utilities, Service Connect Workflows and more, while for the Task Agent we use print username.
When Service Connect creates records we can see in the CreatedBy which Workflow created it by seeing the Workflows “Service Account” Username.
Made the change at the weekend and no issues. Only further question is what Epicor options do these new users need to run without issue. I gave them the same as manager for ease but would rather give them less.
This is a long standing gripe with Epicor security (tedious and confusing to set up), and answer is different for every business which is probably why the process is so convoluted. Unfortunately, I don’t think that there is an easy answer.
In theory any issue with leaving this with the same options as the manager account. Particularly as I am the only person who knows the password without having to go into the LastPass vault to retrieve it.
Our Sysagent user (Task Agent login) is in the Admin group, with Security Manager, Session Impersonation(this one is mandatory to work right), and Multiple Sessions. We don’t do annotations, but that might be required. No other checkbox in the ‘Tools Options’ section is checked. And I put the password in the Address2 Field, and the phrase “DO NOT MODIFY” in the Address 1 field as a mental/visual cue to not mess it up.
The Epicorservice user I mentioned is purely a service account with no E10 user. It’s for SQL DB connections, AFR, EDA Synch, etc…
