We have a website for users to do a self-service password-reset of their AD accounts. Whenever this is done, I would like to synch this new password with the user's (local) SafeBoot password. I can use the "ResetPassword" API (initiated from our website) to set the password on the SafeBoot server itself, but how do I get this changed password (immediately) to the client? Yes, I know that I could wait for the client to synch (eventually), but this will cause problems if the user logs off before this synch takes place.
It looks like the only script option for this type of synchronization is initiated from the client (using ForceSynch). Is this possible to do this through the server itself?
So basically, I am looking for the same functionality that I get by right clicking on the machine in Encryption Manager and selecting "Force sync"--that is, initiating the synch from the SB server vs. from the client).
Hmm, haven't looked into it (no SB/EE environment at home), but if you can dump the list of machines the users are assigned to, you could script (Altiris, SMS, PSExec, etc) a solution where you'd force the computer to run ForceSync?
I'll play tomorrow to see if there might be a better idea happy
Sorry, I don't see anything else in the docs that might help force the sync down from server side. I think you're looking at a client side ForceSync to accomplish this - you've just got to engineer the solution that triggers it.
There is not currently a product feature for this. The only way you could do it would be somehow detect the change on the client (perhaps a bit gets flipped in the registry) and check for that change in a programatic way (maybe a logoff script). The script would have to call our ForceSynch command, as you rightly suggest.
I have had some customers implement a logoff script that does a ForceSynch on shutdown. This adds more value than just catching password changes; it makes for more accurate reports and ensures policy changes are actually enforced.
I suppose you could reduce the risk by simply modifying your sync interval. How many clients do you have?
Actually, I am thinking that adding it to the logoff script might just do the trick. Not ideal, but workable. But I am wondering if the "Friday Syndrome" might overtax the server (that is, everyone leaving at the same time at 5:00 and trying to synch at logoff). Much the same way that the synch is delayed in the morning to avoid such a scenario.