How to Reset Passwords or Manage SEE Client Administrators and Deploying through the Native Policy/group Policy
search cancel

How to Reset Passwords or Manage SEE Client Administrators and Deploying through the Native Policy/group Policy

book

Article ID: 154380

calendar_today

Updated On:

Products

Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Client administrators are the accounts with privileges to Log in to the Encrypted systems in scenarios where the registered user is not able to log in.

When a SEE Client is created, a list of administrators is also specified.  Until the client checks in with the SEE Management Server, these client administrators part of the installer are used locally (referred to as "Local Policy".  Once the SEE Client does check in with the SEE Management Server, then the administrators in policy can be used.

Important Note: The first SEE Client Administrator you add will have all permissions and is considered the "Default" Administrator, which means it has full permissions.  Provide access to this administrator to only those who absolutely must have this.

All other administrators should be provided using the principle of least privilege.  In other words, do not provide the SEE Client Administrators with access to "Decrypt" a machine if only "Unlock" is needed.

If you need to remove SEE Client Administrators from showing up on local machines, these can also be modified in policy.

 

This article will review these options with SEE Client Administrators with the following sections:

Section 1 of 3 - Changing Passwords or Managing SEE Client Administrators

Section 2 of 3 - Removing Administrators from SEE Client Administrators of local SEE Clients

Section 3 of 3 - Troubleshooting

 

Note: If you have installed a SEE Client to a machine, it will inherit the list of SEE Client administrators that are in-built to the client.  The only time this list will change is when the SEE Client checks in with the server and the client pulls down a new set of SEE Client Admins.  Installing over the top will not update the list.  The SEE Client must check in to the server for this to take place. 

Resolution

Section 1 of 3 - Changing Passwords or Managing SEE Client Administrators

Changing the Password for Environments using the Native policies:

  1. Open Symantec Endpoint Encryption Manager.
  2. Expand the Hive named Symantec Endpoint Native Policy Manager.
  3. Select the appropriate group.
  4. Click Next to each policy until you reach the SEE Client Administrators list.
  5. Make the needed changes to the SEE Client Administrators, or even add new SEE Client Administrator accounts with associated roles.


On the Client Side:

  1. Update policy and restart the machine
  2. Try to log in with the New Client admin password

Tip: You can also do a "list-user" option via the CLI to display the current administrator's list.  In the example command below, the name of the current SEE Client Admin is "SEEClientAdmin":

C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption>eedAdminCli.exe --list-user --au SEEClientAdmin

This will prompt you for the current passphrase.  Enter the passphrase and the list of administrators should appear.

Changing the Password for Environments Using the Group Policies:

In order to modify the SEE Policies when using "GPO" policies, you'll need to locate the GPO itself.

______________________________________________________________________________________
Tip: If you're not sure if you're using GPO VS SEE Native Policy, open the SEEMS Configuration Manager.
Under the Active Directory page, if nothing is configured, SEE Native Policy is being used.

SEE Native Policy is recommended for ease of use and ease of policy management.
This is because when using GPO policy, whoever is making changes to these policies in AD, must have the Windows AD/GPO permissions to edit and update, whereas SEE Native Policy requires its own SEE Administrator to make the needed changes.

If you are you using GPO and would like to simplify your management significantly, see the following article:

243136 - Migrating to Symantec Endpoint Encryption Policy Methodologies to SEE Native Policies (From Active Directory Policies)

If you're unsure what to do, feel free to reach out to Symantec Encryption Support for further guidance. 
______________________________________________________________________________________

 

  1. Open Symantec Endpoint Encryption Manager as seen above.
  2. Expand the Hive for the Group Policy management.
  3. Go to the Appropriate level to apply the Policy.
  4. Right click and select "create a GPO in this domain, and link it here "
  5. In the "New GPO" window that pops us type the name in the field marked as "Name"
  6. Right click on the Name that is given in Step 5 and select "edit"
     

You will then see the SEE Policies that can be modified: 


  1. In the Group Policy management Editor expand the hive for Policies under the Computer configuration.
  2. Further expand software settings look for Symantec Endpoint Encryption.
  3. Under Symantec Endpoint encryption highlight framework and select Client administrator.
  4. Either Add or Make the changes as required and click on save
  5. Return to the Symantec endpoint manager and right click the name as given in step 5 under the hive " Group policy management and hit on Enforced.

     

On the Client Side:

  1. Type  "gpupdate /force " in the Command prompt to pull down the new policy applied to the server.
  2. Reboot the Machine
  3. Log in with the New Client admin account/changed account details
     

 

Section 2 of 3 - Removing Administrators from SEE Client Administrators of local SEE Clients

If you ever need to change the administrators of SEE Management Server for the SEE Client Administrators, this can also be done using the steps from the first section above.

The main thing to keep in mind is when an administrator is either added or removed, in order for these new admins to be added, or old admins to be removed, the SEE Clients **must** check in with the SEE Management Server to update the list. 

Once you have removed the SEE Client Admins from the list, check-in with the SEE Client itself and then run the "list-user" command to see that it was removed.    

Tip: You can also do a "list-user" option via the CLI to display the current administrator's list.  In the example command below, the name of the current SEE Client Admin is "SEEClientAdmin":

C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption>eedAdminCli.exe --list-user --au SEEClientAdmin

This will prompt you for the current passphrase.  Enter the passphrase and the list of administrators should appear.

 

Section 3 of 3 - Troubleshooting

Once the SEE Client Administrators have been applied to policy, and a client checks in, these administrators are available for use on the local systems.
If you check on the SEE Management Server for these machines, there is a SEE Client Admin list that can be viewed to show the listed administrators.

There is currently a known issue where SEE Client Administrators are being added/removed locally, but does not properly update the list on the server.  This is a reporting issue only and does not affect the functionality of adding/removing administrators for actual use of the SEE Client Administrators. 

As this issue is only shown to be a reporting issue because the SEE Client Administrators are getting added or removed properly, the issue is that the reporting is not properly reflected on the server.  The local SEE Client Administrators will be added or removed, but the server may not show the proper list.


In order to check if the SEE Client Administrators are listed, run the following command (In the example below, the name of the client admin is "SEEClientAdmin":

C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption>eedAdminCli.exe --list-user --au SEEClientAdmin


This will prompt you for the current passphrase.  Enter the passphrase and the list of administrators should appear.

 

Tip: If the list of Administrators is different on the server than what is reflected on the SEE Client, this has been resolved and is included in Symantec Endpoint Encryption 11.4. 
Please refer back to this article, or contact Symantec Encryption Support for further guidance. 

EPG-25416

 

One method to validate the SEE Client Admins are getting updated is to know the name of the SEE Client Admin you wish to add/remove.  When you run the --list-user command, this will show you all the users.  Check to see if the existing SEE Client Admin is listed or not.  

 

Applies To

Applicable to All environments using the Symantec Endpoint Encryption and Guardian Edge Software

Additional Information

259042 - How to Reset the Symantec Endpoint Encryption Management Server Password