Pawar,

Do you have any issues with adding groups to the Group Users for the container with your PCs in it?  More specifically, if you add a group with a few of your users assigned to a computer and then remove the users from the PC (because they are in the group), can you still sign in with the users you removed?

I can't and this is an issue for me and maybe others.  In my case, I had a regular user and an administrator added to a specific machine.  I then added my administrator group to the Group Users for the container and removed the administrator user from the specific computer since he should be allowed to sign in because of the group affiliation.

After doing this and waking up the agent, all of the users in the group can then sign in, except the user that I had removed from the computer.  If I apply him specifically to the PC again, he can sign back in, but when I remove him, he is toast.

I still can't assign multiple users or groups to a machine.  It does seem to recognize the username now after changing LDAP sync task to samaccountname but once I enter the username I get "Error EE0F0001 Token authentication parameters are incorrect"

I know this is not the case because I tried server users, adding the whole "User" OU to that device and it will only recognize the original account that I set it up with.  I've re-created the LDAP/AD Sync task and verified the connection works.  It obviously is half working because it recognizes the username portion....

I still can't assign multiple users or groups to a machine.  It does seem to recognize the username now after changing LDAP sync task to samaccountname but once I enter the username I get "Error EE0F0001 Token authentication parameters are incorrect"

Did you then try to use EE Options -> Recovery -> Administrator Recovery?

(with corresponding actions in ePO console, "Data Protection" -> "Encryption Recovery")

I'm sure you know this - but don't forget that the default password is always set to 12345 the first time for a user. After that, if you change it, it will pick up that password. Might be worth trying both.

The Ad-sync works much better now, but what is left over, are 2 locked out accounts in PreBootAuth. I cannot logon with my own account, and the other (renamed) user too. The users are recognized, but eighter with the default pw nor the real pw I simply get the error EE0F0001. Real pw cannot work as the users aren't logged on to the machine before and even if so, it should not work from my understanding. PreBootAuth gets the pw only from the dialog after logging on with the default pw.

Any ideas what to do/change for those 2 users in AD or in ePO, to get them back? Otherwise they accounts behave normally in the domain.

TIA

Thomas

Bypass pre-boot remove those users and add new ones.

Just to make it clear. I bypassed pre-boot, but where to remove those users? As they have no account on the machine, they aren't listed in "Encryption Users". I added the users via "From the groups:" All other members of this group can authenticate on the pre-boot, but those 2 not. I try it now with bypass, to logon with my user and then to remove it in Encryption Users, but I did this already earlier, when I encrypted with my user and so the user synced to encryption users too. No luck. Anyway I have a ticket open at McAfee.