Could someone please expalin to me, ideally with some sort of flow diagram or in laymans terms how SafeBoot and Active Directory communicate passowrd changes, i.e. when someone changes their Windows password, how does this effect their SafeBoot password.
I was of the understanding that the user just had to do a synch and it updated their SafeBoot password, but now thinking about it more I don't think this is the case.
Our problem seems to be when users have to do their monthly Windows password change. If they change it on their own PC and synch, all seems OK. But if they change it on another PC or via the admin tool it causes problems when the month is up and they change their password. After a synch it still doesn't let them log in with their new password.
Can anyone explain how the process works to me please?
Basically Safeboot doesn't know what your password is unless you told it that.
When you're changing your password on a machine that has safeboot client installed, safeboot intercepts the change password request, it knows what is send to windows as new password, it is then possible to set the safeboot's password to be the same.
Once a user sets passwrd in AD (no mater how would they do that) it is not possible to recover the password. Let's say user is working from home on private laptop, they want to access corporate mail - they are able to because your company offers webmail solution to its employees. But the password is expired, so the user is asked to set new one.
The user's password in AD is then changed, next time they'd like to logon to windows they have to use new pass. Safeboot doesn't know that the password is changed, it cannot get that information from AD (basically nothing can, even being domain admin you are not able to recover passwords - in theory it is impossible). You have standard passwords mismatch then, to make the passwords the same again you have to change your safeboot password manually or, once logged to windows (passing through safeboot boot using old pass) change your windows (domain) password again.