We are experiencing a major issue with MEE PC that just started yesterday morning (5/15/13). As far as I can tell, MEE seems to be resetting a large amount of accounts to an unknown password. I started recieving calls about not being able to login, which is fairly normal with the amount of users that seem to forget their passwords. I was able to reset the tokens successfully and the users were able to change their password and login. But as soon as the user sync'd with the server and restarted, the new password would not work. This is happening to WAY too many users, including the IT staff, to be the typical "forgotten password". Especially when I set the password myself. This has happened to at least 30 of our users over the last 24-hours and the only solution I have found is to do a recovery to boot the system once, and then instruct the user to not shut-down...which is really no solution at all.
I do have a ticket in with McAfee support, but I am hoping someone on here has experienced something similar.
Our PC details:
All Windows 7 x64
Users are assigned to specific machines, with a small group of IT staff added to all machines
MEE version 5.2.12 with a few still on 5.2.5. Most of the issues affected users are using 5.2.12
Steps already taken:
MEE server restarted
Delete User accounts and re-create and re-add to systems
Recovery to boot machine once
recovery to reset user passwords
none of which has made any difference.
Any help would be GREATLY appreciated.
Completely forgot to ask about what I was most curious about.
If I view the Audit information of the effected users, I see an entry for "Recovery Started" right before they are unable to login, and then every time they sync I see it again. I feel like this has to be what is causing our problem, but I can't find any information on the event ID or why it would be trying to recover without any input from IT staff.
can you grab a client log? The only reason I can think of is someone has been tinkering with your back end db - maybe they restored an old version of the top of it. The client log may give us some hints.
Recovery started I think is logged if the user hits the recover button.
Changes you make not sticking are usually because an admin has connected with the wrong time/zone on their pc - setting a timestamp far in the future. You need to recreate the token to solve this - just resetting it won't change the timestamps, so do a create token on the problem user.
Maybe someone bought an old machine online, and tried guessing the passwords for the users - that would flag them system wide and would cause token updates (if they were eventually able to login on that old machine anyway).
Thanks for the reply. A different group houses the actual server/DB so it is possible someone messed with something without our knowledge, but it happens every time the user sync's again, so a 1 time DB restore to an older version doesn't seem a likely cause.
The timestamp thing looked like a promising cause, I saw a few other threads about that. But that is also not our issue.
Our IT staff is too small to have someone randomly bring a system back online and not say anything after issues started. And our users only have access to one system each. All of our systems are tracked pretty well, there are no "rogue" systems out there with MEE installed.
After looking around here, i saw alot of threads about problems occuring with SSO and with the option to set the MEE PW to the current windows PW automatically. We dont use SSO, but we do use the "password sync" option. I decided to just turn that off and voila. So far it has fixed the issue on 8-9 computers.
Any idea why an option which has been set for years would all of the sudden cause a widespread problem like this? It seemed to take effect right after the most recent windows update...is it possible that Microsoft closed the "hole" that allows MEE to grab the password and is corrupting the MEE password?
I don't see anyone else reporting a problem, if it was the Microsoft update, you'd have thought it would have affected everyone.
Did you have the "must match username" ticked in the Window Login policy of the machine? If you view the SSO creds of a broken user - does the user name for Windows match the pre-boot user name?
Did you get a client log - I don't see one attached.