I am about to embark on rolling out EEPC 6.1 via ePO.
We have currently over 700 laptop users, but wish to allow everyone who is in our domain to login to an EEPC laptop (so an extra 1600 users). This figure will probably increase as time goes on.
I have read KB68517, which suggests for best practice the total users should be as near as possable to 500 users.
Has anyone had a rollout to users around the 23/2500 users ? What problems did you come across ? Are there any lessons leared that you could share with me ?
Many Thanks for your help/suggestions
I think that the issue you will need to over come is the partition size to host that number of users.
Secondly, the logon times will be measured in days.
We have some devices with 300-500 users total on them. They take minutes to get to the windows logon screent, and we are using 6.1, with 6.0 it was still longer.
Are you using the newest processors? If so they may help some of the marketexture shows faster performance with logins.
And dont forget that you will need to sync those peoples credentials at 100/cycle, so thats 25 cycles, how often are passwords, resets, users and how often are you syncing.
Support blanched when we would say we had 300 on a machine.
We're trying to get over 1000 for loaner laptops and conference room laptops. No dice. Support said no, yet I've read where others do it even with the 20MB PBFS. I increased to 100MB and let the PC stay on over a 4 day weekend. Even did several manual collect and send props. Different results on two different, identical laptops. I'm just giving up and we're going with desktop in those areas - not sure what we're going to do with loaner laptops since policy requires PBA. Also, we support starts to squawk when we get over 300 or so users, why do they put the option to add users by OU? Not "too many" OUs in an enterprise environment with < 300 users, maybe some. I at least feel that there should be a MAX user limit in some type of text on the Add Users page. They shouldnt have to wait for an Enhancement Request for this.
I feel your pain on the loaner PCs and classroom PCs. They are classic problems for full disk encryption + pre-boot authentication technology. I would recommend instituting a process for the loaner laptops whereby the systems have pre-boot auth enabled but have to call the helpdesk to get provisioned to the system.
The process would go like this
There are some cool things we could do to solve this with our forthcoming Intel integration. Since that will give us a network stack in the pre-boot environment, we could push the user down without having to first do a challenge response to get into the OS. Or at the very least, we could eliminate the challenge response from the process and instead do an immediate boot once, like in this demo http://www.youtube.com/watch?v=vwvvXslyZ2A. In fact, you could automate the whole thing if you used the ePO 4.6 web API to pre-provision user accounts in ePO. Then when the system got to pre-boot it could query ePO (using the new network stack from Intel) to see if any new users were assigned. Oh that would be cool! Of course, this Intel stuff is not out yet and this is in no way a commitment to deliver that - I just want to show what would be possible.
I would recommend that if you are not using smartcards, remove the certificate sync from th LDAP sync task (set the field to empty). You may have certs in AD which are being pulled across and are stored in the Preboot filesystem yet add no value (certs are only required for smartcard authentication). This should mean that you can squeeze a lot more users into a 20MB PBFS.
I would also be interested in more details on the time-to-windows-logon with a large number of users.....is the bulk of this time getting through the preboot process, or is the bulk of the time after Windows has started up but before the login prompt is displayed?