Hi @Krzysztof, I would first suggest tracking users that have a secure token. You can do this with the extension attribute below. You need to verify if the IT account or the user account has the secure token. Your issue sounds more like a broken password hash issue. Resetting the pw with the FV2 key is the only way to fix this unfortunately.
If you are looking to start managing secure tokens, I would suggest uploading the bootstrap token to Jamf Pro after automate device enrollment.
#!/bin/sh
# Who_Has_SecureToken.sh
#
#
# Created by Benjamin Janowski on 5/16/18.
#
AllUsers=$(dscl . list /Users | grep -v _)
for EachUser in $AllUsers; do
TokenValue=$(sysadminctl -secureTokenStatus $EachUser 2>&1)
echo "Checking $EachUser"
if [[ $TokenValue = *"ENABLED"* ]]; then
SecureTokenUsers+=($EachUser)
fi
done
if [[ -z "${SecureTokenUsers[@]}" ]]; then
echo "<result>No Users</result>"
else
printf '%s,' '<result>'"${SecureTokenUsers[@]}"'</result>'
fi
exit
