Categories: SAP

Mass change your SAP passwords

The short version: Here is a script to automate changing your SAP password across many systems. The long version follows…

One of the little annoyances I have to put up with as an SAP (yes, it’s “an”, because you’re supposed to say “ess-ay-pee.”) consultant, is when it becomes necessary to change passwords. That is because you need to be able to remember your passwords across all systems, which means it’s a good idea to use one password on all of them, meaning that when you change your password on one system, you change it everywhere. Some people devise strategies like combining the month with the system ID or something like that, which is just not very secure.

When I look at documentation on SAP’s websites, it seems perfectly possible to set up an SAP system for Windows Integrated (NTLM) authentication, so one may wonder why even put up with this schlepp. I imagine companies generally dislike that solution, because the extra layer of authentication is seen as a necessary security measure, while there are other factors, like people with several IDs, etc. Besides, end users may need to log on to at most 2 SAP systems in most cases, so it’s only really a problem for developers and configurers.

At the client where I am working now, I have been granted access to around 20 SAP clients across various systems. Now to update all of those every time I’m prompted to change my password on one system would become an incredibly tedious task. This has prompted me to write a vbs script to automate changing passwords across a whole number of systems. Building on something I found on the internet, I created a script that prompts you for your current password, and a new password, after which it will attempt to change your password on all given systems, provided you have sufficient RFC authorization on each.

The script calls function module SUSR_USER_CHANGE_PASSWORD_RFC, provided it exists on the system to change the password. The file produces an output file called passchangelog.txt in the directory (Windows: folder) where it is run giving a log of the actions taken. You could of course modify the script to give the output to standard out, but that would mean running it with cscript, and I think wscript is the default on a Windows installation.

To use the script, copy and paste it into a text file and rename it to something with a .vbs extension. You then modify the script where indicated, adding a line for each system for which you want your password to be changed. Make sure your password is the same on each system to begin with, so don’t inadvertently log yourself out of any of them!

I have also used a modified version of the script to just log on to each system to check whether I have an initial password there. You could probably even create a macro in Excel using it so that you read the system entries from a worksheet. I will leave that up to you.

Here is what it looks like:

Set ctlLogon = CreateObject("SAP.LogonControl.1")
Set funcControl = CreateObject("SAP.Functions")
Set objFileSystemObject = CreateObject("Scripting.FileSystemObject")

'''Obtain current and new password from user
currpass = InputBox("Enter current password")
newpass = InputBox("Enter new password")

''Initialize variables
Set outFile = objFileSystemObject.CreateTextFile("passchangelog.txt", True)

''' For each system, call subroutine to log on to system and change password
''' Parameters are: hostname, system id, system no., client, language, user
''' ADD A LINE PER SYSTEM FOR WHICH YOU WANT TO CHANGE YOUR PASSWORD
Logon "host1.company.com", "KK1", "00", "010", "EN", "MYUSER"
Logon "host2.company.com", "KK2", "00", "200", "EN", "MYUSER"
Logon "host3.company.com", "KK3", "00", "300", "EN", "MYUSER"

''' Cleanup
outFile.Close
Set outFile = Nothing
Set ctlLogon = Nothing
Set funcControl = Nothing
Set objFileSystemObject = Nothing

'''***** Log on to system and change password *****
Sub ChangePass(appserver, sysid, sysno, client, lang, user)

''' Establish new connection
  Set objConnection = ctlLogon.NewConnection

''' Set logon details
  objConnection.ApplicationServer = appserver
  objConnection.System = sysid
  objConnection.SystemNumber = sysno
  objConnection.client = client
  objConnection.Language = lang
  objConnection.user = user
  objConnection.Password = currpass

''' Log on to system
  booReturn = objConnection.Logon(0, True)
  outFile.Write sysid & " " & client & ": "

''' Check if logon successful
  If booReturn <> True Then
    objConnection.LastError
    outFile.Write "Can't log on"
    Exit Sub
  Else
    outFile.Write "Login OK"
  End If

''' Prepare to call change password function
  funcControl.connection = objConnection
  Set CHPASS_FN = funcControl.Add("SUSR_USER_CHANGE_PASSWORD_RFC")
  Set expPassword = CHPASS_FN.Exports("PASSWORD")
  Set expNewPass = CHPASS_FN.Exports("NEW_PASSWORD")
  Set expFillRet = CHPASS_FN.Exports("USE_BAPI_RETURN")
  Set impReturn = CHPASS_FN.Imports("RETURN")
  expPassword.Value = currpass
  expNewPass.Value = newpass
  expFillRet.Value = "1"

''' Call change password function
  If CHPASS_FN.Call = True Then
    outFile.Write (", Called Function")
    Message = impReturn("MESSAGE")
    outFile.WriteLine " : " & Message
  Else
    outFile.Write (", Call to function failed")
  End If

  outFile.WriteLine vbNewLine
End Sub

Article info




Leave a Reply

Your email address will not be published. Required fields are marked *