deployed to 100 users (approx 10-15 affected)
hope to get some input on this .... Has anyone any experience of users laptops 'fogetting' their password? - i've had approx 10 occurences of this now, with one user being affected 4 times.
The laptop seems to just loose the password token for the user and stops them logging in, the same password would work fine just days before (the guy's whos been affected 4 times now - uses his laptop everyday and for long periods so there is plently of time + opportunity to sync with the ePO server). Also i'm added as group admin to all encrypted laptops and i can always login, its the 'normal' users that loose the passwords - i'm unaffected.
It seems linked to windows updates and machines running Win XP - from questioning the users it seems it could be related to windows updates and is only affecting windows XP users (our win7 users seem fine), do particular windows updates overwrite/change the area of the HDD where the password tokens are stored? - it seems strange that it doesn't affect all users though!?
I'm testing on a XP VM and Win7 VM to see if updates cause loss of passwords at the moment (when i have time) - just wanted to know if there was any other ideas, experience someone has had can help me?
remember that all your machines talk to each other re passwords - so if the user changes his password on one machine, eventually it will send that to all the others - This is usually the cause of "mysterious" changes - users changed them on one machine which did not at that time get around to syncing the change with EPO - after a while, the machine did have a good connection and sent the password change to all the other machines, by which time the user had "forgotten" they had changed thier password.
I'm beginning to think its user error too!
I've done some testing with end user laptops while I had the chance and installed multiple rounds of windows updates that have required restarts (2 different laptops, different models) and neither have 'forgotten' the password...
The only one it doesn't really add up with is the fella who's suffered 4 times as he comes into the office and puts the lappy on a wired connection so its a reliable connection...
Do you have any tips to make the laptops sync faster? Currently I have the policy enforcment set to 5mins and the ASCI to 25mins, completing 2 sets an hour I thought was adequate
just trying to bump this on again.
I could do with a simple(ish) break down of what the computer does to check the users password at PBA through to windows where the events start tot sync with the server.
is it something like this:
1. laptop is powered on, PBA kicks in and user is shown login box
2. user enters correct PBA credentials and proceeds to windows
3. (with SSO enabled) user auto logs into windows to desktop
4. normal startup apps/services are run - inc mcafee agent
5. agent to server comms start
in a senario where a user had changed their windows domain logon password on another domain computer (a desktop - and left the laptop turned off during this time) and with sync windows password enabled in the policy - at what point is the laptop made aware in the above sequence?
is it only after the laptop gets back to the desktop to sync the password change made on another PC to the laptop?
what i'm getting to (eventually!) is that we're experiencing loss of passwords on laptops when the laptop wouldn't have been attached to the network to be updated of the change by the ePO server, there is no network connections - so the laptop should assume nothing has changed, yet the password is 'forgotten' - the new and old passwords both don't work..
if you change your pre-boot password, (or windows password and have the SSO enabled), it will upload that to EPO at the next ASIC (or round about that time when a policy enforement occurs). Other machines will download it during their equivalent events.
I'm not sure I have ever seen a disconnected machine "forgetting" the password - it's usually a K-C interface error, or the wrong keyboard mapping is selected, or something as simple as caps/numlock.
thanks again Safeboot.
i'll try and paint a better picture - we have a number of users at the company (around 200) who use both a laptop and desktop - only the laptops are encrypted. The users will move between offices/sites and each use their laptops a different amount - some everyday, some once every 3 months.
If one of the users changed their windows domain logon password on the desktop (forced by policy every 42 days) and doesn't use the laptop for another week or so (and the laptop remains switched off) - the automated activities on the ePO sync the AD account to the user account assigned to the laptop on ePO (as i understood it - this includes the password details) but never updates the laptop of the password change because it's off - yet it seems to 'forget' the old password and doesn't allow the new password to work either.
good shout on the CAPS/Num lock - will check for that next time.
shouldn't be keyboard mapping - as laptops are built from images but again worth a check.
what is a K-C Interface Error?
thanks alot again.
If the user changes their password on a non-EEPC machine, it won't affect the EEPC environment at all. What will happen, is that (eventually, depending on when Windows chooses to update their token) SSO will fail on the users EEPC laptop, and they will be forced to enter their correct windows password.
At that point, the EEPC password should get changed to match, as long as it conforms to the rules you've set. If not, it will it remain as their old EEPC password, and the two will differ.