Running Windows 7 pro, AD 2008, EEPC 5.2.8. Just getting started with EEPC and doing some testing. First and I had problems getting SSO to work. I think I figured this part out, but now I'm testing password changes. When I change my test users's domain password EEPC is not picking this up. The POA screen always wants the old windows password. This whole Windows 7 SSO and password setup could really use clarification. Is there a document out there the specifies best practices or at least defines how the windows logon settings specifically affect the user/admin experience?
I'm running Windows & enterprise with EEPC v5.2.5 installed. My machines General Options are:
Require logon to Endpoint Encryption - checked
Attempt automatic windows logon - checked
Require re-logon to Endpoint Encryption - NOT checked
all other settings in the Windows Logon section are checked
My SSO works great. Hope this helps.
yeah. those are the same settings I have. It's picking up my user's windows credentials initially and seems to pickup password changes when the user initiates the change, but when I change the password through AD and then try to login with the new password, EEPC will not take the new password or the old password. I'm not sure which password it wants, but none (old, new, system initial) of them work. It's really strange and obvious a major support nightmare if I can't get is solved. Any other thoughts?
can you explain exactly how you are "changing the password through AD"?
One of the standard gotchas is changing the password in Windows (on an EEPC protected client using the "ctrl-alt-del" change password screen, and setting it to a password which is unacceptable to EEPC (via history or password content rules). In that case the password can get set to 12345.
The solution of course is to make sure to make the EEPC password rules as lenient as possible, if you are relying on the Windows password change rules to set the password.
I logon to my domain controller and right click the user and set a new password. I then have the user lock their screen and then have them login to their PC with the new AD credentials hoping EEPC will pickup the new password and so the credentials are cached locally by windows. I have all of the EEPC password rules turned off or super lenient becaues I want to manage the rules through AD.
ok, another point then is that you are changing the password outside the EEPC environment, so it does not see it happen.
EEPC will only do an SSO cred update on two events - failed SSO, and detected local password change.
Since neither of these events is occuring, EEPC does not know anything about the password change unfortunately.
finally, changing the password on the domain controller outside the EEPC environment won't change the users EEPC password - something else is happening to make the current password invalid here.
ok. that sort of makes sense, but I'm wondering how admins manage windows password resets? Often, users's forget their windows password or allow them to expire. How does the admin reset the password for them without breaking SSO? I can see the user having to use the old password to get through PBA and then EEPC picks up the new password when they login with the new windows password, but I'm stumped as to why the old EEPC password is not working.
me neither - check the client log to see when it got changed perhaps? Maybe another machine synced and reflected a new password down?
If you do a c/r reset on the EEPC5 password, it will SSO into windows happily still as EEPC knows what your Windows password is. If you reset both, then If Windows is willing, it will make the user change their Windows password, in which case the EEPC5 password will get changed at the same time.
the odd thing you are doing is actually changing the password in the domain - most domain addmins would change the password to something temporary and set a forced change so the user go to pick a new one straight away - this initiates the SSO back into EEPC on the users machine straight away.
Ok. I started from scratch and manually created EEPC user accounts because I thought all of this might have something to do with how I synced the user accounts from AD. So, I have a manually created user account with a manually created computer account.
Here are my steps:
I'm not sure what changing the AD password has to do with changing the EEPC user password, but somehow EEPC is losing all knowledge of the EEPC user account password.
I'm lost here folks.