Section 1 of 3 - Changing Passwords or Managing SEE Client Administrators

Changing the Password for Environments using the Native policies:

1. Open Symantec Endpoint Encryption Manager.
2. Expand the Hive named Symantec Endpoint Native Policy Manager.
3. Select the appropriate group.
4. Click Next to each policy until you reach the SEE Client Administrators list.
5. Make the needed changes to the SEE Client Administrators, or even add new SEE Client Administrator accounts with associated roles.

On the Client Side:

1. Update policy and restart the machine
2. Try to log in with the New Client admin password

Tip: You can also do a "list-user" option via the CLI to display the current administrator's list.  In the example command below, the name of the current SEE Client Admin is "SEEClientAdmin":

C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption>eedAdminCli.exe --list-user --au SEEClientAdmin

This will prompt you for the current passphrase.  Enter the passphrase and the list of administrators should appear.

Changing the Password for Environments Using the Group Policies:

In order to modify the SEE Policies when using "GPO" policies, you'll need to locate the GPO itself.

______________________________________________________________________________________
Tip: If you're not sure if you're using GPO VS SEE Native Policy, open the SEEMS Configuration Manager.
Under the Active Directory page, if nothing is configured, SEE Native Policy is being used.

SEE Native Policy is recommended for ease of use and ease of policy management.
This is because when using GPO policy, whoever is making changes to these policies in AD, must have the Windows AD/GPO permissions to edit and update, whereas SEE Native Policy requires its own SEE Administrator to make the needed changes.

If you are you using GPO and would like to simplify your management significantly, see the following article:

243136 - Migrating to Symantec Endpoint Encryption Policy Methodologies to SEE Native Policies (From Active Directory Policies)

If you're unsure what to do, feel free to reach out to Symantec Encryption Support for further guidance. 
______________________________________________________________________________________

1. Open Symantec Endpoint Encryption Manager as seen above.
2. Expand the Hive for the Group Policy management.
3. Go to the Appropriate level to apply the Policy.
4. Right click and select "create a GPO in this domain, and link it here "
5. In the "New GPO" window that pops us type the name in the field marked as "Name"
6. Right click on the Name that is given in Step 5 and select "edit"
    

You will then see the SEE Policies that can be modified: 

1. In the Group Policy management Editor expand the hive for Policies under the Computer configuration.
2. Further expand software settings look for Symantec Endpoint Encryption.
3. Under Symantec Endpoint encryption highlight framework and select Client administrator.
4. Either Add or Make the changes as required and click on save
5. Return to the Symantec endpoint manager and right click the name as given in step 5 under the hive " Group policy management and hit on Enforced.
   
    

On the Client Side:

1. Type  "gpupdate /force " in the Command prompt to pull down the new policy applied to the server.
2. Reboot the Machine
3. Log in with the New Client admin account/changed account details
    

Section 2 of 3 - Removing Administrators from SEE Client Administrators of local SEE Clients

If you ever need to change the administrators of SEE Management Server for the SEE Client Administrators, this can also be done using the steps from the first section above.

The main thing to keep in mind is when an administrator is either added or removed, in order for these new admins to be added, or old admins to be removed, the SEE Clients **must** check in with the SEE Management Server to update the list. 

Once you have removed the SEE Client Admins from the list, check-in with the SEE Client itself and then run the "list-user" command to see that it was removed.    

Tip: You can also do a "list-user" option via the CLI to display the current administrator's list.  In the example command below, the name of the current SEE Client Admin is "SEEClientAdmin":

C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption>eedAdminCli.exe --list-user --au SEEClientAdmin

This will prompt you for the current passphrase.  Enter the passphrase and the list of administrators should appear.

Section 3 of 3 - Troubleshooting

Once the SEE Client Administrators have been applied to policy, and a client checks in, these administrators are available for use on the local systems.
If you check on the SEE Management Server for these machines, there is a SEE Client Admin list that can be viewed to show the listed administrators.

There is currently a known issue where SEE Client Administrators are being added/removed locally, but does not properly update the list on the server.  This is a reporting issue only and does not affect the functionality of adding/removing administrators for actual use of the SEE Client Administrators. 

As this issue is only shown to be a reporting issue because the SEE Client Administrators are getting added or removed properly, the issue is that the reporting is not properly reflected on the server.  The local SEE Client Administrators will be added or removed, but the server may not show the proper list.

In order to check if the SEE Client Administrators are listed, run the following command (In the example below, the name of the client admin is "SEEClientAdmin":

C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption>eedAdminCli.exe --list-user --au SEEClientAdmin

This will prompt you for the current passphrase.  Enter the passphrase and the list of administrators should appear.

Tip: If the list of Administrators is different on the server than what is reflected on the SEE Client, this has been resolved and is included in Symantec Endpoint Encryption 11.4. 
Please refer back to this article, or contact Symantec Encryption Support for further guidance. 

EPG-25416

One method to validate the SEE Client Admins are getting updated is to know the name of the SEE Client Admin you wish to add/remove.  When you run the --list-user command, this will show you all the users.  Check to see if the existing SEE Client Admin is listed or not.  

Applies To

Applicable to All environments using the Symantec Endpoint Encryption and Guardian Edge Software