Currently there is no functionality in the UI to reset a user's TOTP enrollment. If a user changes devices or uninstalls the TOTP application from their phone etc., Guacamole administrators have no UI for clearing the TOTP secret from the database so users can re-enroll. In a larger deployment this is of course a significant support scenario and a supportability concern as no UI for it exists.
Ideally the "edit user" page should contain a button such as "Reset TOTP" that would allow an administrator to clear the user's TOTP enrollment from the guacamole_user_attribute table.
My personal solution to this issue was a bash script that directly executes SQL against the Guacamole database (which obviously requires shell access to the database server) and a custom web server/-ice that provides a web interface to do the same with LDAP (AD) integrated login (as I can't write Java I couldn't implement this directly into Guacamole).