We are researching password management software that would enable our end-user to reset their AD, Mainframe and AS/400 passwords. The problem is what do you do when the users is at the Pre-OS screen and doesn't know their password. We have version 5.1.7 which allows self-service Endpoint password resets but this only takes care of Endpoint, not AD, Mainframe...etc. Most of the solutions we've looked at use a web-interface off the GINA. Has anyone been able to pass information to or from the Pre-OS screen? Any suggestions would be most helpful.
you can't pass it in and out of the preboot as there's no network at that stage.
If you're wanting to automate the password reset, there's a bunch of simple API commands you can use with other password management software to change, recover, manage the endpoint encryption passwords. Your unified password management provider should be able to take them and add support for the encryption passwords into their solution.
You can reset the password locally, boot the machine to pick up a new password (if it can get online), and set passwords for endpoint encryption all through the API. You can even do a local password change if you first recover the machine.
1. User has forgotten their AD password which is "dog1" and they are at the Pre-OS screen. 2. At the Endpoint Pre-OS screen they change their Endpoint password to "12345." 3. At this time their AD password is still "dog1" but they would still log into windows because Endpoint still has the correct password on the local database? 4. The user would reset their AD, Mainframe or AS/400 password to "cat1." 5. Using API connections their Endpoint password would be reset to "cat1" also?
Please pay special attention to step number 3. I tested the self-service password reset and it seemed that Endpoint still had my old AD password. At the GINA Endpoint must have passed my AD password and let me right into the OS. Is there a way to change the behavior to stop at the GINA if a Endpoint password reset has taken place at the Pre-OS screen? I would not want a user to believe that all/any of their other passwords have been changed since they were logged into the OS with their old/forgotten password.
I guess the ultimate goal is to reduce the number of steps a users has to take. If they have to call the help desk to reset their Endpoint and AD it defeats the purpose of self-service resets. From what I can find most of the calls do not involve Endpoint, rather they are already at the Windows screen.
One last question. When I used the self-service reset on Endpoint why did it allow me to pass into Windows and not fail at the login? Is it because my AD password had not change, only my Endpoint?