The eeadmin.changeUserPassword command should reset the token if youdo not specify the old password.
Drive Encryption 7.1 Scripting Guide (PD24869)
"If you don't specify the old password, users are reinitialized, leading to the loss of token, logon, Single-Sign-On (SSO), Self-Recovery, and password history data. This requires the users to reinitialize their data at next logon."
However, you can just reset the token for the entire lot via the DE: Users query. Although you cannot use the select all button, you can select the first entry, scroll to the last entry, press and hold Shift and select the last entry then select Actions | Drive Encryption | Reset Token.
Hi there, thank you for your comments!
As I mentioned, I already tried to use the command eaadmin.changeUserPasswort:
eeadmin.changeUserPassword userDn newPassword [oldPassword] - Drive Encryption change user's password
The old password is an optional parameter. It has to specified the userDN (thats exactly clear) and the NewPassword. Without specifying the NewPassword, the webrequest ends with failed-state. So if I specify a password, let it be "12345" for example, the webrequest ends with success-state. Everything seems to be good, BUT: There NO effect on the EE client system. In the log, I can not recognize a change. It has no effect, exactly NO effect. If the client reboots, the user is NOT prompted to renew his credentials, furthermore the user is not able to use the specified passwort "12345" by me. The user is able to use "his old password" (if it had existed or rather that, what the user specified in the past). So on the whole the command "changeUserPassword" does not help us solving the problem.
I just tested and received a different behavior than you. I ran the following command from a browser and did not specify the old password:
I received this message:
After waiting about 5 minutes to allow the database to process the request, I performed a collect and send props on the client and waited for policy enforcement to complete. I then saw this in the MfeEpe.log:
2017-03-07 15:32:24,868 INFO EpoState == Start of policy enforcement ==
2017-03-07 15:32:25,165 INFO EpoPlugin userHandler: requesting updates for user A472B39FDF4F154AA299DA98F66ECCF7: token data, self recovery data, logon data, sso data
2017-03-07 15:32:51,666 INFO StatusService updating Drive Encryption users
2017-03-07 15:32:51,760 INFO UserLib userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had logon data updated
2017-03-07 15:32:51,822 INFO UserLib userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had token data updated
2017-03-07 15:32:51,885 INFO UserLib userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had SSO data updated
2017-03-07 15:32:51,947 INFO UserLib userLib: user jhall2 (A472B39FDF4F154AA299DA98F66ECCF7) has had UBP updated
2017-03-07 15:32:52,572 INFO EpoState == End of policy enforcement ==
Upon the reboot, the users password was reset to the value entered into the command and not reset back to the default password.
This was tested with the MDE 184.108.40.2067 extensions. I am researching this behavior further.
thank you for your help!
I tested nearly the same command as you wrote. I also received OK: Succeeded, my MfeEpe.log has following entries:
2017-03-08 08:02:29,978 INFO EpoPlugin userHandler: processing user updates/requests
2017-03-08 08:02:30,337 INFO EpoPlugin userHandler: requesting updates for user *ID*: token data, self recovery data, logon data, sso data
2017-03-08 08:02:30,337 INFO EpoPlugin Sending user updates for *USER* (*ID*) to ePO
2017-03-08 08:02:30,353 INFO EpoPlugin userHandler: dispatching ESUserList event to McAfee Agent
2017-03-08 08:02:30,353 INFO EpoPlugin userHandler: Note, press Send Events button in McAfee Agent to hasten delivery (see KB71865).
2017-03-08 08:02:30,681 INFO StatusService Ereignis zum Synchronisieren von aktualisierten Benutzerdaten wird erstellt.
2017-03-08 08:02:38,811 INFO DRIVER Session notification: EPEPC_DRIVER_SESSION_LOGON
2017-03-08 09:20:42,537 INFO EpoState == End of policy enforcement ==
The Entries with "...has had ... updated are missing in my logs.
I am using the same version number and extension like you.