Thanks for your reply.
This is how we did the last time.
1) Prepare datacap admin user (dcadmin) and maintenance user (dcuser) on Windows Active Directory.
2) Install and configure Datacap 9.1.7 using dcadmin on a single Windows 2016 machine.
3) Open a command prompt and move to c:\Datacap\Taskmaster. Execute "dcskey -e".
4) Reboot PC.
5) Change password of dcuser. *Due to the client's policy, the password changes periodically.
6) Login to dcuser.
7) Open a command prompt and move to c:\Datacap\Taskmaster. Execute "dcskey -i".
8) An error is displayed: "Keys couldn't be imported. Key not valid for use in specified state."
9) I think we also did "dcskey -d" before trying import,
but saw an error "Keys couldn't be deleted. Key not valid for use in specified state."
I am guessing that "dcskey import" does not work once the other user executes "dcskey export"
and first entry is written into dc_KTF.xml file in C:\Datacap\Taskmaster.
This first entry can be shared among the users on the same machine,
but once a user (different from the installation user) changes password,
there is no way for dcskey command (either delete or import) to reflect this password change.
The following site had what seemed to be the solution.
https://www.ibm.com/support/pages/key-not-valid-use-specified-state-ibm-datacap-taskmaster-captureBut I could not do this.
I was not able to identify Taskmaster encryption keys because there were many of them.
May be password should not change once a key is made, but this almost always goes against the client's security policy.