Mass change your SAP passwords

The short version: Here is a script to automate changing your SAP password across many systems. The long version follows…

One of the little annoyances I have to put up with as an SAP (yes, it’s “an”, because you’re supposed to say “ess-ay-pee.”) consultant, is when it becomes necessary to change passwords. That is because you need to be able to remember your passwords across all systems, which means it’s a good idea to use one password on all of them, meaning that when you change your password on one system, you change it everywhere. Some people devise strategies like combining the month with the system ID or something like that, which is just not very secure.

When I look at documentation on SAP’s websites, it seems perfectly possible to set up an SAP system for Windows Integrated (NTLM) authentication, so one may wonder why even put up with this schlepp. I imagine companies generally dislike that solution, because the extra layer of authentication is seen as a necessary security measure, while there are other factors, like people with several IDs, etc. Besides, end users may need to log on to at most 2 SAP systems in most cases, so it’s only really a problem for developers and configurers.

At the client where I am working now, I have been granted access to around 20 SAP clients across various systems. Now to update all of those every time I’m prompted to change my password on one system would become an incredibly tedious task. This has prompted me to write a vbs script to automate changing passwords across a whole number of systems. Building on something I found on the internet, I created a script that prompts you for your current password, and a new password, after which it will attempt to change your password on all given systems, provided you have sufficient RFC authorization on each.

The script calls function module SUSR_USER_CHANGE_PASSWORD_RFC, provided it exists on the system to change the password. The file produces an output file called passchangelog.txt in the directory (Windows: folder) where it is run giving a log of the actions taken. You could of course modify the script to give the output to standard out, but that would mean running it with cscript, and I think wscript is the default on a Windows installation.

To use the script, copy and paste it into a text file and rename it to something with a .vbs extension. You then modify the script where indicated, adding a line for each system for which you want your password to be changed. Make sure your password is the same on each system to begin with, so don’t inadvertently log yourself out of any of them!

I have also used a modified version of the script to just log on to each system to check whether I have an initial password there. You could probably even create a macro in Excel using it so that you read the system entries from a worksheet. I will leave that up to you.

Here is what it looks like:

Set ctlLogon = CreateObject("SAP.LogonControl.1")
Set funcControl = CreateObject("SAP.Functions")
Set objFileSystemObject = CreateObject("Scripting.FileSystemObject")

'''Obtain current and new password from user
currpass = InputBox("Enter current password")
newpass = InputBox("Enter new password")

''Initialize variables
Set outFile = objFileSystemObject.CreateTextFile("passchangelog.txt", True)

''' For each system, call subroutine to log on to system and change password
''' Parameters are: hostname, system id, system no., client, language, user
Logon "", "KK1", "00", "010", "EN", "MYUSER"
Logon "", "KK2", "00", "200", "EN", "MYUSER"
Logon "", "KK3", "00", "300", "EN", "MYUSER"

''' Cleanup
Set outFile = Nothing
Set ctlLogon = Nothing
Set funcControl = Nothing
Set objFileSystemObject = Nothing

'''***** Log on to system and change password *****
Sub ChangePass(appserver, sysid, sysno, client, lang, user)

''' Establish new connection
  Set objConnection = ctlLogon.NewConnection

''' Set logon details
  objConnection.ApplicationServer = appserver
  objConnection.System = sysid
  objConnection.SystemNumber = sysno
  objConnection.client = client
  objConnection.Language = lang
  objConnection.user = user
  objConnection.Password = currpass

''' Log on to system
  booReturn = objConnection.Logon(0, True)
  outFile.Write sysid & " " & client & ": "

''' Check if logon successful
  If booReturn <> True Then
    outFile.Write "Can't log on"
    Exit Sub
    outFile.Write "Login OK"
  End If

''' Prepare to call change password function
  funcControl.connection = objConnection
  Set expPassword = CHPASS_FN.Exports("PASSWORD")
  Set expNewPass = CHPASS_FN.Exports("NEW_PASSWORD")
  Set expFillRet = CHPASS_FN.Exports("USE_BAPI_RETURN")
  Set impReturn = CHPASS_FN.Imports("RETURN")
  expPassword.Value = currpass
  expNewPass.Value = newpass
  expFillRet.Value = "1"

''' Call change password function
  If CHPASS_FN.Call = True Then
    outFile.Write (", Called Function")
    Message = impReturn("MESSAGE")
    outFile.WriteLine " : " & Message
    outFile.Write (", Call to function failed")
  End If

  outFile.WriteLine vbNewLine
End Sub

Tags: , ,

  • Eric

    Hey have you ever used this SUSR_USER_CHANGE_PASSWORD_RFC with Java? I’m trying to use it in a java program (that I already call other BAPIs with) and it gives me some funky, non-descript error “INTERNAL_ERROR”.


  • admin

    The function raises the INTERNAL_ERROR exception when there is a problem with the call to the kernel function that it uses to perform the password change. (The text for the message accompanying the exception is “Program error. Please notify SAP”).

    It could be (just a guess) that your user does not have authorization to call this kernel function. To check whether it does, call function AUTHORITY_CHECK_C_FUNCTION (provided you have dialog access to the system). It seems the authorization object S_C_FUNCT determines this access, so check what is assigned to your user.

  • Eric

    Thanks for the tip! I’ll keep you posted with my results.

  • Eric

    Hey man, I got it working. Turns out when I ran the same Java code against ECC6 it works fine. The old development environment here is 4.7, but when I changed my connection it works fine.

    Thanks for your help!

  • admin

    Thanks for the feedback, Eric.

  • Swalt


    I tried to run your script but found it gave an error. I think the call to our function is named incorrectly. The lines that start with ‘Logon “host1…’ should read ‘ChangePass “host1…’.

    I changed the “Logon”s to “ChangePass” and it worked perfect.

    Thanks for the script though :)


  • admin

    Hey Swalt, thanks very much for pointing that out! That was a bit of an oversight on my part, as I combined two of my scripts when I posted this blog from home.

  • Danny


    I got the script working; reading the list of systems from an excel sheet and returning all results (successfull or not) into both a listbox and a logfile. After some testing I had some problems with older systems (3.x and 4.x systems).
    When I turn on LastError (to display the error) I get the message:

    “you are not authorized to logon the target system”.

    Any idea?


  • Danny


    The solution for my issue is described in Note 1023437 – ABAP syst: Downwardly incompatible passwords (since NW2004s). Apparently for the older systems the SAP Logon control converts the password to uppercase.

    best regards


  • admin

    Hi Danny, that’s interesting, thanks for reporting back. I know from 700 (or 710?) that passwords are case sensitive, but what you mention sounds strange; I thought case wouldn’t matter to older systems. Anyway, thanks for that.

  • Natalia

    I want to say many thanks for this script!
    Spasibo! :)

  • Hi,
    i know this is an old post but anyway: if you are interested in a working java program, with which you can mass change users (unlock, set initial password, set new password) justvtake a look at