same as create token really, as it has to zero out the history etc (as we don't know what the existing password is, we can't preserve the token data, we have to recreate it). Changepassword (obviously) preserves all this.
No, if the token is invalidated you need to recreate it.Changepassword only works if you can still change the password.
Once you've locked an account out through too many attempts, it can't be used for anything until the token is recreated.
Sorry, I didn't mean changepassword, I meant to keep in line with the topic at hand, resetpassword call. You said it was like creating a new token, but I'm guessing it does everything but actually create the new token? With testing, that seems how it is working.
For what it is worth, I have tested this over the last three months. I have went from 5.1.7 to 5.2.3 and noticed some differences using the scripting tool - resetpassword call.
5.1.7 - Level 2 and 3 could use resetpassword call to reset password of a level 1 invalidated token. Level 3 could not use resetpassword call on a level 2 invalidated token.
5.2.3 - Resetpassword call does not work for invalidated tokens at all.
Sorry about that Peter, there is another thread with same title and Simon and I used the levels example there. Level 1 being user, level 2 admin, level 3 being safeboot admin.