cancel
Showing results for 
Search instead for 
Did you mean: 
hausi
Level 9
Report Inappropriate Content
Message 1 of 9

eeadmin.administratorRecovery - Syntax of userDN

Jump to solution

Hi all

We use MDE (7.1.3.547) and I've planed to get a solution for our ServiceDesk.

I don't want to get them access to the ePO (5.3.1), because we have a own ServiceDesk-Applikation with several plugins. So they e.g. can change a users password without elevated privileges...

Since we plan the rollout for MDE with SSO on our notebooks, I have to solve two scenarios for our ServiceDesk:

1. A user is not known in the PBA -> Therefore "https://<ePO>:8443/remote/eeadmin.administratorRecovery?challengeCode=<Code>&recoveryType=1" works fine.

2. A user forgot his password -> So, the ServiceDesk has to reset the PBA-password and the windows-password as well. (or is there a easyer way? Afaik recoveryType=1 will not work, because the usernames don't match and the password will not sync.)

For the 2nd szenario I have troubles to get the correct syntax.I've tryed https://<ePO>:8443/remote/eeadmin.administratorRecovery?challengeCode=<Code>&recoveryType=2&userDN=?????????

Even Scripting Guide / McAfee Drive Encryption 7.1 dosn't help me really:

Table 2-6 resetUserToken recovery type

Command

eeadmin.administratorRecovery     

Syntax

eeadmin.administratorRecovery

challengeCode=<>

recoveryType=<>

userDn=<>

Description

Specify recoveryType='2' and

pass the Distinguished Name

(DN) of the user, to perform the

Reset User Token Recovery.

I've tryed almost all possible names for userDn (User principal name (which is our username for PBA and windows logon), pre-win2000 username with/without Domain, canonical name, distinguished name, DN with quotes and even with URL encoded characters for " " %20, "@" %40, etc.) ... and I always get:

Error 0 :

Error setting parameters for command: eeadmin.administratorRecovery


What is the correct syntax for userDn?

And is recoveryType=2 the right way for the scenario "user forgott his password"?

Is it possible to get the computername (after sending the challanceCode) and a list of the defined usernames on this computer with ePO.API.Explorer?


Thanks in advance


Hausi

1 Solution

Accepted Solutions

Re: eeadmin.administratorRecovery - Syntax of userDN

Jump to solution

Not sure if that is the reason but there are some typing mistakes in what you pasted above:

  • There is a space in "challengeCode"
  • userDn needs to be typed with a lowercase "n"

What I suggest is that you simply copy paste the distinguished name, there is no need to add any other signs or to escape characters.

8 Replies

Re: eeadmin.administratorRecovery - Syntax of userDN

Jump to solution

The way to enter the DN is this:

https://<ePO>:8443/remote/eeadmin.administratorRecovery?challengeCode=<Code>&recoveryType=2&userDn=<Distinguished name>

for example:

https://ePOserver.eu.company.com:8443/remote/eeadmin.administratorRecovery?challengeCode=AAAABBBBCCC...\, FirstName,OU=euro,DC=company,DC=com

Let me know if this works out for you.

Not sure about your last question (about getting the computer name and assigned users), will let you know.

Shahar.

hausi
Level 9
Report Inappropriate Content
Message 3 of 9

Re: eeadmin.administratorRecovery - Syntax of userDN

Jump to solution

Hi Sahar

Thanks for your prompt answer.

If I look in "Encryption Users", my DN looks like:

     CN=<LastName> <FirstName> (<Visum>),OU=<Department>,OU=<Platform>,OU=Users,OU=<Company> Production,DC=<Domain>,DC=<DomainCountry>

If I replace all the " " with "\" like this:

     https://<ePO>.<Domain>.<DomainCountry>:8443/remote/eeadmin.administratorRecovery?challengeCode=<Code>&recoveryType=2&userDN=CN=<LastName>\<FirstName>\(<Visum>),OU=<Department>,OU=<Platform>,OU=Users,OU=<Company>\Production,DC=<Domain>,DC=<DomainCountry>

I still get:

     Error 0 :

     Error setting parameters for command: eeadmin.administratorRecovery

If I try RecoveryType=1 without userDN, like this:

     https://<ePO>.<Domain>.<DomainCountry>:8443/remote/eeadmin.administratorRecovery?challengeCode=<Code>&recoveryType=1

I get:

     Succeeded:<Response>

So, I guess, the challange is correct and recognized by ePO -> I also guess, the problem is the "userDN"...

Hausi

Re: eeadmin.administratorRecovery - Syntax of userDN

Jump to solution

Not sure if that is the reason but there are some typing mistakes in what you pasted above:

  • There is a space in "challengeCode"
  • userDn needs to be typed with a lowercase "n"

What I suggest is that you simply copy paste the distinguished name, there is no need to add any other signs or to escape characters.

hausi
Level 9
Report Inappropriate Content
Message 5 of 9

Re: eeadmin.administratorRecovery - Syntax of userDN

Jump to solution

Hi Shahar

You are great!

You are right: I didn't see the lowercase "n", Thanks! (I've spent hours...)

(The blank " ", was copy/paste from your 1st post).

I've passed the DN as it is written in "encryption users" with all the spaces and other characters...

The Output is now:

     Succeeded:<Response>


Looks a little better ;-)


The mistake was the lowercase "n" - And because of the failed result, I've tried to play around with the DN...


btw.

- Is there a best practice for "user forgot password"? -> recoveryType=2 and reset windows-password (because with SSO he forgot both)? Or is there an easyer way?

- Is there a way to display the systemname from the challangeCode and the list of assigned encryption users on thsi system? I've found nothing about this.

Re: eeadmin.administratorRecovery - Syntax of userDN

Jump to solution

Happy to see this worked out.

- We don't use SSO, so I can't really help you with this. But I guess that there is no way around it. Maybe do a machine recovery, change the users Windows password from Windows and then sync the new password to MDE.

- I haven't been able to that. I guess you are limited to what the APIs give you. You could try and submit that as a PER.

hausi
Level 9
Report Inappropriate Content
Message 7 of 9

Re: eeadmin.administratorRecovery - Syntax of userDN

Jump to solution

With "machine recovery" the windows- and PBA-user will not match and not sync the password...

I'll try to play with "core.executeQuery" - perhaps there is a possibility...

OR perhaps another member of the community has an idea?

hausi
Level 9
Report Inappropriate Content
Message 8 of 9

Re: Re: eeadmin.administratorRecovery - Syntax of userDN

Jump to solution

I'm trying to get the PBA-Users of a specific PC. What I did so far:

http s://:8443/remote/core.executeQuery?target=EPOCounterMeasures_View&select=(select EPOCounterMeasures_View.LeafNodeID)&where=(where(eq EPOCounterMeasures_View.ComputerName "<ComputerName>"))

-> This returns:

    OK:

    ComputerID: 28150

I also was able to get a list of usernames with EPOLeafNodeID...

http s://:8443/remote/core.executeQuery?target=EPESystemUsers&select=(select EPESystemUsers.UserID EPESystemUsers.DisplayName EPESystemUsers.EPOLeafNodeID)

-> This returns:

    OK:

    EPEADMIN.squid.epeSystemUsers.da.userID: 1

    User Name (DE): <first>.<last>@<MailDomain>

    EPEADMIN.squid.epeSystemUsers.da.EPOLeafNodeID: 27996

    EPEADMIN.squid.epeSystemUsers.da.userID: 1

    User Name (DE): <first>.<last>@<MailDomain>

    EPEADMIN.squid.epeSystemUsers.da.EPOLeafNodeID: 28150

    EPEADMIN.squid.epeSystemUsers.da.userID: 1

    User Name (DE): <first>.<last>@<MailDomain>

    EPEADMIN.squid.epeSystemUsers.da.EPOLeafNodeID: 33331

Now, I'm trying to show only the UserNames for a specific EPOLeafNodeID, which i got with the 1st command - but, this works not really - not yet...

...perhaps someone has already solved this challange?

hausi
Level 9
Report Inappropriate Content
Message 9 of 9

Re: eeadmin.administratorRecovery - Syntax of userDN

Jump to solution

I've got the list of SystemUsers per Computer:

"https ://[ePO]:8443/remote/core.executeQuery?target=EPESystemUsers&select=(select EPESystemUsers.DisplayName)&where=(where(eq EPOLeafNode.NodeName "[ComputerName]"))