np - you could probably hack this out of linkuser as well - start at the bottom of the script, the first 10,000 lines or so are just included classes.
I've run through the Endpoint Encryption Scripting Tool User Guide. In my test environment i've successfully run a script to change a bindingname etc on a group of users, however what i actually want to achieve is set a value of 0 on the SbAdCon0.changes existing binding.
The only commands i can find in the document are ChangeBindingName and AddBinding, however i can't find one to specify the Bind Value of a an existing one. In one of your previous posts: https://community.mcafee.com /message/202925 you have stated "There are API commands to both delete the binding, and set its value". Can you point me in the direction of these commands or know where i am going wrong?
If I remember correctly addbinding will change the value of an existing binding, if you use the same name?
I have this working for a single user using this command sbadmcl -adminuser:admin -adminpwd:**** -command:addbinding -user:jbloggs -bindname:sbadcon0.changes -bindvalue:0
However, unlike the changebindingname command, the add binding doesn't have a group parameter? It certainly doesn't work. Where as the group parameter works perfectly on the
changebindingname command. Any ideas?
get the user list from the group with dumpusersbygroup, then iterate through them changing the binding?
It will be slow as you will cause a login each time if you use a batch file (much faster in vbscript using a persistant connection like linkuser does)
the sbadmcl class in linkuser might have dumpusersbygroup exposed, returning an array or collection? I don't have the code to hand unfortunately.
Yes that sounds like a good option, i'll look into the dumpusersbygroup command.
I don't have any experience of vbscripts tho so i'll probably have to stick to batch files.
In addition https://community.mcafee.com/thread/38272 It appears that someone on the forum got round this by renaming the sbadcon0.changes to
sbadcon9.changes, then ran the connector (to regenerate the sbadcon0.changes with a 0 value) and then deleted the sbadcon9.changes - all by using the ChangeBindingName command - that does allow groups changes.
Can you see any issues with doing it this way?
no - seems perfectly logical to me - I can't see a down side, the connector should recreate the original binding.
probably worth testing on a single user first though of course.
Thanks i'll go forward with that plan and test it and i'll use your other suggestion as another option if it's not successful.
Thanks again as usual
I ran through this change on one user in the live environment. I manually edited their binding from sbadcon0.changes to sbadcon9.changes and then ran the connector whilst pointing to the NEW Domain Controller.
I incorrectly was expecting the sbadcon0.changes to have a change value of 0 - but now thinking about it logically, it will just pickup the change value of the Domain Controller (which incidently was lower than the OLD Domain Controller - which is what is needed to fix the issue).
I'm assuming that this should be ok, despite documentation https://kc.mcafee.com/corporate/index?page=content&id=KB69760 stating it needs to be set to 0?