Sometimes the passwords do not synch between AD and SafeBoot. Here's the scenario: 1. User is working fine in SafeBoot. 2. User changes password on non-SafeBoot machine. 3. User logs onto SafeBoot using old password. 4. Windows blocks user, requesting password. 5. User enters new Windows password. 6. User forces synch with Safeboot Server. 7. User logs off laptop. 8. User Logs onto laptop and has to use OLD password. 9. Logon proceeds THROUGH the Windows logon and does not ask for new password! 10. User can log onto other SafeBoot laptops with OLD SafeBoot password and get through Windows logon WITHOUT being prompted for NEW password!
Somehow the NEW Windows password has been saved, but the SafeBoot password has not changed to match. The settings are correct to the best of my knowledge and password changes have worked correctly for this user in the past. Other users in the group have also successfully changed passwords.
Any ideas why? How can I get the passwords back in synch? Do I have to do a user recovery to get the passwords in synch? What if I have them manually set the SafeBoot password to match the AD password?
I'll certanly accept that Windows does odd things, but as long as the machine has a network connection to the domain I have never seen one accept an old password. There certainly are things going on under teh covers that I don't know about that may make this fit some flowchart MS has created.
My real concern here is why can the user move around the domain with the old password? The client must have that new password somewhere, and it did prompt the user for the new password once, SafeBoot just didn't synch when it had the chance.
In the end my original question still stands. When this happens to a user, is here a way to FORCE the two passwords to synch back up? Our users move between dektops (not encrypted) and laptops (encrypted) regulary so having two passwords for the network will not go over well.
If the SafeBoot password is "Old" and Windows password is "New", then as a quick workaround, just have the user set their SafeBoot password to match what Active Directory has. You can do this one of three ways:
At pre-boot by selecting "change password"
In Windows, Ctrl+Alt+Del, Change Password, select "SafeBoot Network Provider" (or whatever the exact text is)
Perform a user recovery for the affected account (or reset to default, force synch, and have them set it right.
As far as why it happened, have you read any of the other password synch docs here? Check SB password complexity settings or UPN issues with certain SB versions.
Thanks folks. The complexities are good. I've read many of the threads, but didn't see the same problem mentioned. Having to reset the password is a bit of a pain, but if that is what we have to do then I guess that is what we have to do.
JMB - I ran into the same thing where SafeBoot knew what the new password was but didn't keep them in synch. So I'd login to SafeBoot using my old password, but SafeBoot would pass the proper password into Windows. If I locked Windows or had to logout, I would unlock or login using the new password, but SB would only accept the old password.
If you paste what your settings are from the SafeBoot console for one of the machines you're having a problem with, I'm sure the rest of us would be happy to comment.
I have a user who changed their password while at home last night. Today after getting in to the office and forcing a change for the user to a new Safeboot and new Windows AD password, he still gets the error 0xe0050016 incorrect user logon. If the user reboots the machine, he gets the same error message.