How to resolve the following scenario in EEPC v6.2.1:
SSO is enabled
1. User forgets her password and uses self-recovery to reset to a new password
2. User locks system to step away from system
3. User returns and tries to unlock system using the new password
4. System does not recognise the new password
My questions are:
a). At what point will this new password in EEPC sync with windows or AD?
b). How do I resolve this issue
c). What does other forum users overcome this situation?Message was edited by: sokam on 04/02/13 06:41:08 CST
Did they reset their eepc password with self recovery, or their windows password? The eepc password will be set to the windows password only during a windows change password event.
She reset her password via the PBA screen using the Self-Recovery option.
So how does she get the password she reset via eepc set to the windows password - in other words when does the "windows change password event" occur?
The user is now stuck at the moment because Windows does not recognise her new password.
Changing the EEPC password does not affect the Windows password - The problem is, your user does not know her Windows password. There's never been any feature in EEPC to touch or modify the windows passwords, only the reverse - the Windows password is replicated to the EEPC password when the user does a password change (of the windows password) within Windows itself.
This is not something EEPC can solve, you need to use some other technology to allow remote change of a users Windows password.
If you didnt have EEPC installed, and the user forgot their Windows password, how would you resolve that? It's the same process now.
Thanks for the prompt and clear response.
Just to clarify the following:
1. So what is the use case for the Self-Recovery option in EEPC e.g. for a user such as mine who is to connected to AD (in the office LAN)?
What is the implication of not allowing users to perform self recovery?
2. If I change the user's password in AD will this new password be replicated to EEPC?
1. To get the user to the windows login prompt, then you can use any one of a number of windows password reset tools, or if they are on the LAN, you can just reset it in AD.
Eepc is not an "offline windows password reset" solution - there are a number of companies who specialize in that.
2. No, the change has to happen on a machine running eepc, otherwise eepc can't see it happen.
Thanks for the helpful responses,
What are the advantages and disadvantages of having the self recovery feature enabled?Message was edited by: sokam on 04/02/13 16:34:33 CST
As SafeBoot states and from my experience and research EEPC never syncs with AD i.e. if a user changes their PBA password through self recovery the new password will not be "picked up" by Windows. The only way to get AD and PBA password to sync is for the user to do a Cltr+Alt+Del in Windows and reset their password. What should happen then is PBA password will then match the domain password.
If you use self recovery this should be the process:
User uses self recovery to change PBA password and get past PBA - at this point the PBA password is out of sync with AD.
User logs into Windows using their Windows password - If the user can't remember their Windows password it will have to be reset by AD so they can login. If they are off the network, they are out of luck, unless you have another method to reset domain password like SSRPM.
To bring PBA and Domain password back into sync user MUST do a C+A+D password reset
Three things to appreciate is:
1) EEPC can only "listen" for a password change on the local machine i.e. C+A+D event
2) Changing the password in AD will NEVER be picked up by EEPC - it's important that your Help desk understand this concept
3) Changing your PBA password with self recovery is NEVER picked up by Windows - it is used purely to get they user past the PBA screen