We have been experiencing high volumes of user calls on the Monday after a patch weekend. The users are unable to log into their machines and the help desk has to do a user recovery over the phone to get them going again. I would estimate the call volume at 1-2% of the total encrypted user population (about 5600 systems). Is this normal? I initially thought it was users forgetting their passwords but we haven't had to reset their domain credentials only Safeboot. I admit a large percentage of this group only reboots their computers once a month (when forced by the patching process) but I don't think there should be so many issues. Any suggestions on where to look for issues? We are currently running server version 5.2.11 and have a mixture of client versions primarily 5.2.0, 5.2.5, and 5.2.10. Majority of the user systems are running Windows XP. Any advise is appreciated.
are the calls simply forgotten passwords? If so, I can't see how that can be attributed to any patching.
You do realize that even if you reset their pre-boot password, if you're using SSO, EEPC still knows the "correct" Windows password, so will keep relaying that until it expires?
I would grab a client log and see if there's anything reported.
Thanks for the response. Patching isn't the cause but it is the only time we 'force' users to reboot so our investigations have shown many of the users only end up rebooting at that time and hence run into the login prompt (and putting a high strain on the help desk the next morning).
I am aware the credentials are still cached since we are using SSO but the user still needs to know their password to access a number of other resources we have. I can put some more thought into how to verify the user has actually forgotten the password vs something going wrong with the system. I'd like the think it was just users forgetting theiir password but its hard to prove this one way or the other. I've pulled many client logs and have found a few issues but the majority are clean.
It would be helpful for us to hear if this is a common situation or if we have a technical issue that needs to be addressed. Since EEPC is so visible to the end user it gets blamed a lot.
take a look at the audit for one of the recovered users - look for change password events and logon events - if you see a bunch of incorrect password attempts, after a successful login attempt, with no change in the middle, you know it's a Keyboard-Chair interface issue.