Looking for 'reasonable' (usable!;-) device settings for using 5.3 Endpoint Device Encryption in a primarily Novell environment. We also have an Active Directory, which is sync'd from eDir, however our primary login is using the Novell client and we need/use contextless login as well as location profiles (for laptop users), so SSO (replacing the gina) will not work (without using aliases and other fudges - and that path has been dismissed already!!)
I think the best we can aim for is a safeboot boot login, that boots the machine and then presents the user with their 'standard' Novell gina, which will give them their location profile choice and then cxless login. Ideally we'd like to use the same usernames for safeboot as per edir/AD - we can sync these using LDAP all OK. The issue appears to be managing the passwords... It appears that the 'Set Safeboot Password to Windows password' (i.e. sync between the two) is only 'active' if you are using the safeboot gina.... Is this correct? It would be nice if we could just leave the 'Windows login' (Novell Gina) process in place, but have the 'safeboot logon component active' to capture and sync the password changes that are made during a session - Is this possible?
I hope this makes sense and that someone has already invented this wheel...!!
So... setting the 'Safeboot client component always active' and 'Set Safeboot password to Windows password' seems to work.... Some of the time....! Well, it works fine from CTRL+ALT+DEL Change Password, provided you follow all the password restrictions. Unfortunately it doesn't work from the Novell client 'password expired' change dialog.... It comes up with "The Windows Password Entered is Invalid", even though it isn't (I can set the exact same format of password using CAD Change...
Therefore it looks like it could be the way that Safeboot password sync is returning to Windows, which is being synced from the Novell client (function/setting of Novell Client, which works just fine without Safeboot client...)
It seems that the password restrictions (via user template settings) are messing things up for me, though I have reset them to their most basic (3<40, 0/not set on all other options)... However, I don't think these are actually being adhered to... If I just try and change a password in safeboot it doesn't allow me a basic 3 char alpha password - it wants a more complex password with mixed case and numbers, even though I have specifically NOT set these requirements.... Can anyone clarify/help me with the requirements? Basically I am happyto let the Novell NMAS Policies handle the complex requirements and want to leave Windows and Safeboot in their most basic settings so that that they will take what is handed down to them from the Novell Client
I stand corrected... Ignore this - it's nothing to do with Safeboot!! I went and re-preformed my checks and it appears to be an issues with WinXP SP3 and Novell Client 4.91SP4, etc. Password changes are OK through CAD, but not the Novell login expiration handler....
Sorry to post incorrectly - off to the Novell forums!! wink
What we did was use a file imported into safeboot that changes the gina to MSgina, and novell then remianed a background logon. The reason for this was that the safeboot gina replaced the novell gina, but then references it to pass the logon too. so what happens when you remove the novell client for troublshooting, etc. Safeboot tries to pass the logon to a gina that does nto exist and you have problems. If the Msgina is in there you can't really go wrong. with Safeboot 4.2 this was a killer cause safemode was prevented which kept you from repairing the GINA