cancel
Showing results for 
Search instead for 
Did you mean: 
EPO-Janni
Level 9

How to deny access for explicit Windows user with local stored Windows profile

Hi,

I have the following problem with EEPC 7.0.1 using with EPO 4.6.5. After deploying the EEPC on a Windows machine all users with local stored Windows profiles can logon using EEPC pre-boot authentication. That is what we configured. For instance user Anton has a local stored Windows user profile and no explicit EEPC access right configured in EPO. Anton can logon using EEPC pre-boot authentication. That’s OK in that case.

But now I’ll try to deny access for Anton. I removed his local stored Windows profile on that PC. And I also removed the his entry on EPO in “Encryption Users” – “View Users” selected the appropriate machine.

But this user entry of Anton appear again after some hours in EPO "Encrypted Users" on that machine! I also removed this two entries (Windows profile and "Encrypted User" entry)  again and also restarted the PC again. But after some hours Anton appear again in EPO “Encrypted Users” on that machine and he can logon! Why? How can I remove Anton to deny access on that EEPC machine?

Best regards,

Janni

0 Kudos
6 Replies
SafeBoot
Level 21

Re: How to deny access for explicit Windows user with local stored Windows profile

If you are using automatic add domain users, and Anton has a profile, he will get added to the machine.

You need to remove the profile of course - if windows is adding it back after you delete it, you need to work out how that is occurring.

Cached network profile maybe?

0 Kudos
EPO-Janni
Level 9

Re: How to deny access for explicit Windows user with local stored Windows profile

Hi,

thanks for feedback. We don't use server or networt stored Windoews profiles. So the Windows profile is stored on local HDD. And there I deleted the profile of Anton. On EPO I olny configured two AD groups in "Encryption Users" - "Group Users". And this two groups contains 12 AD user accounts except Anton. So I don't use why the Anton account is restored after removing his local Windows profile and his "Encryption Users" entry!

Regards Janni

0 Kudos
SafeBoot
Level 21

Re: How to deny access for explicit Windows user with local stored Windows profile

You said his windows profile reappeared -

"I also removed this two entries (Windows profile and "Encrypted User" entry)  again"

This is a function of Windows. Eepc does not create local user profiles. I suspect the simplest answer is someone logged in as Anton on the machine.

Maybe you don't have "must match user name" ticked in the sso policy, and one of the eepc accounts is linked to Anton's windows details?

0 Kudos
EPO-Janni
Level 9

Re: How to deny access for explicit Windows user with local stored Windows profile

Hi,

no sorry not the Windows profile appeared again. Only the "Encryption user" in EPO appeard again and again after deleting after some times. And I don't know why. The Windows profile doesn't appear again after deleting.

Best regards

Janni

0 Kudos
EPO-Janni
Level 9

Re: How to deny access for explicit Windows user with local stored Windows profile

Additional: The user doesn’t appear in „Encrypted Users” in EPO again if the appropriated EEPC encrypted PC is offline. But if the PC is online for a while the deleted user appeared again in „Encrypted Users” on EPO server. But the appropriated Windows profile isn’t on the machine because I deleted it some days before. So it seems that this problem is initiated by the appropriate EEPC PC. Where is the point to check or remove this property to disable this “automatic EEPC user restore mechanism”?

Best regards Janni

0 Kudos
EPO-Janni
Level 9

Re: How to deny access for explicit Windows user with local stored Windows profile

Hi,

it seems that I found out what’s the reason for that problem . It’s not enough to delete the XP user profile to prevent that the EEPC user appear again and again in EPO “Encrypted Users”. Also the registry sub-key in \HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ , that contains the appropriate user content, has to be deleted also. After doing that the user entry doesn’t appear again in “Encrypted Users” on EPO.

Best regards

Janni

0 Kudos