cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
marko125
Level 9
Report Inappropriate Content
Message 1 of 3
‎10-17-2019 01:53 PM

DE Active Directory sync and disabled users

Hello,

Can somebody describe DE AD sync in case of disabled AD user. DE 7.2.9 version

We have properly working laptop with PBE and SSO and are using AD auto provision option in DE.

1) User disabled in AD. (DE AD sync policy has disable option.)

2) change synchronizes to ePO and then to endpoint resulting DE user disabled.

3) User is enabled in AD and password is reset.

Question: Will this "user enabled" change replicate to ePO and to endpoint? Or is the only option using user Recovery / Unlock Disabled User. Or alternatively delete user and let auto provision assign new user? If there is only one user assigned to endpoint and if we delete that - isn't decryption starting automatically?

4) User Recovery / Unlock Disabled User - is used and user is able to log to windows. Now to get passwords in sync, Ctrl-Alt-Del -> Change password should be used.

Question: Will password sync work in case of User Recovery - by my understanding it should.

Thanks in advance,

 

Marko

Labels (1)
0 Kudos
Reply
2 Replies
sbalamur
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3
‎10-17-2019 06:28 PM

Re: DE Active Directory sync and disabled users

@marko125 Thank you for choosing Support Community.

I would try to explain in the best way how i understand your issue please correct me if i am wrong..

1) User disabled in AD. (DE AD sync policy has disable option.) -Ok

2) Change synchronizes to ePO and then to endpoint resulting DE user disabled. - So From next login end user cannot login with AD account assigned to the machine.

3) Will this "user enabled" change replicate to ePO and to endpoint? : No because the LDAP sync is not happened & yes you may need to perform unlock disabled user from the recovery option at PBA.
If there is only one user assigned to endpoint and if we delete that - isn't decryption starting automatically? : No Decryption happens only by policy enforcement.

4) User Recovery alone may not update password sync as user recovery will ensure the user is just valid based on challenge code and to update new/changes password we need to either run LDAP Sync or at Ctrl-Alt-Del screen after login to windows

For more information Refer : How disabling/deleting a user in Active Directory affects the Drive Encryption user

De 7.2.X Product Guide (PD26653) Pg no : 93

I would request you to reply with more details if the issue is any different from my understanding. We would be more than happy to help..






Was my reply helpful?If you find this post useful, Please give it a Kudos!

Please don't forget to select "Accept as a solution" in my reply and together we can help other members?

Regards
Subramanian B
McAfee Employee
0 Kudos
Reply
marko125
Level 9
Report Inappropriate Content
Message 3 of 3
‎10-17-2019 11:17 PM

Re: DE Active Directory sync and disabled users

Thanks for quick answer!

In your answer point 3. I assumed, that "LdapSync: Sync across users from LDAP" happens in mean time and this will synconize user enabled event from AD to ePO. So question is that if user enabled account syncronizes to endpoint at all? Or if you say, that there is no sync - can you describe, why this sync is not happening.

I read pointed chapter from manual, but this is sort of confusing - it includes all 3 use-cases - ignore, delete or disable AD disabled account and I don't understand what happens exactly in case of disabled user.

From manual: "then initialize the same user name on the client with the default password.
This does not remove the user from the DE Users list in ePolicy Orchestrator, however, it removes the
users from the client system based on the option set in the Server Settings."

Does this mean, that if DE user is disabled, then to activate that user again, user initialization should be done - what are the options for that? User Recovery / Unlock Disabled User is one option? Are there any automatic option without support personnel interaction?

Will it work better, if we delete disabled AD users from DE - then as soon as user is enabled and able to log into windows properly, user will be added back to DE? Next time at PBE new user password is requested and and then user should use Ctrl-Alt-Del to get passwords syncronized.

Third option for AD sync is ignore and I think this is the less secure option as we ignore disabled users, then continues working - user is unable to log into windows, but can reach to Windows login prompt.

Thanks in advance,

Marko

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC