cancel
Showing results for 
Search instead for 
Did you mean: 
jmcleish
Level 13

Moving assigned encrypted users to a different OU in same AD - can they still logon?

Jump to solution

Currently running McAfee Drive Encryption 7.1.1 and ePO v5.3.1 (and also an older version 4.6.9- which we still have some encrypted users on that I’ve not had a chance to migrate off yet)

I need to confirm that if we move our encrypted users in AD, they will still be able to logon to their encrypted machines. (Have already raised a call and the support guys said different from my reseller support and my (limited) testing)

We have users, admins (ePO admins) and support staff:

machines are moved into a specific group in ePO.

We manually assign users to each individual machine. (Encryption Users, select PC, add users, add Drive Encryption Users - Users)

The admins are assigned individually at the group level (Encryption Users, select group in system tree, select group users, add users)

The support staff are added via a group at the encryption users Group Users level (Encryption users, select group in system tree, select group users, add users, from the groupsSmiley Happy

I also have one machine (pool) that has users assigned via a group ((Encryption Users, select PC, add users, add Drive Encryption Users, from the groups:)

When you assign a user it shows the distinguished name in the encrypted users section. LDAP attributes used are samaccountname for both User Name and Display Name.

Now we are going to move all our user accounts (not groups) which are scattered in various different OUs  in our AD structure to under one OU (This is gong to happen, so i have no option but to find out the impact this will have on encrypted users assignment).

Can someone please confirm definitively if, after all users are moved from their current OU in Active Directory, will

1. individually assigned users still be able to logon

2. group assigned users still be able to logon

3. Users in a group, will still be able to logon

(Also, i know 4.6.9 is no longer supported, but if there's any info related to this version would appreciate- so i know i have to move them first)

What (if any) impact does the timing of the LDAP sync task have?

I was told by McAfee support that moving the users to a different OU would change the user hashID and they wouldn't be able to logon. My reseller said manually assigned users would be able to logon, but not ones assigned in groups . my limited testing shows that manually assigned users could logon well- the last phone call from support was a "we think" that they won't be able to logon!! So not entirely convincing! Not had a chance to test the other scenarios yet.

Previously I remember using either EE 6.1.2 or 6.2.1 and ePO v 4.6 (or 4.5) and when the account was moved in AD, the user was unable to logon to their encrypted machine and they had to be re-added as an encrypted user (with their new distinguished name path to the new OU) Not sure if this was a definite issue with either ePO or EE v 6.

So if anyone has any information from previous experiences or can give me a definitive answer that would be much appreciated.

Many thanks

Jane

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Moving assigned encrypted users to a different OU in same AD - can they still logon?

Jump to solution

Sorry, I guess I should have read the thread a bit closer. This shouldn't be an issue at all and I have tested this many times. The user will remain assigned and the token will not be reset by moving the object to a different OU in domain.

The GUID as seen in the MfeEpe.log is HEX version of the the users AD GUID.

0 Kudos
8 Replies
SafeBoot
Level 21

Re: Moving assigned encrypted users to a different OU in same AD - can they still logon?

Jump to solution

I am almost 100% sure your existing users will be able to login while the existing Domain/Group structure remains valid - If nothing changes for them, then nothing will change.

However, if they get removed from the current domain (or removed from groups etc in the current domain) when they are transferred, then they won't be able to login to their PCs any more as EPO will remove them (as they don't exist any more)

Remember, when you transfer them between domains, you're not teaching EPO about the move - it happens without EPO being aware.

This KC article touches on the topic, but basically says "start fresh".

https://kc.mcafee.com/corporate/index?page=content&id=KB83802

What you basically need is a way to edit the DNs for the users within EPO - I couldn't find an API command to do that in v7 unfortunately though. Something to ask your Platinum support person perhaps? 

0 Kudos
jmcleish
Level 13

Re: Moving assigned encrypted users to a different OU in same AD - can they still logon?

Jump to solution

Thanks Simon,

That at least gives me some hope (and some pressure off me!) while i get around to testing! Luckily we are not changing domains!

Cheers

Jane

0 Kudos
SafeBoot
Level 21

Re: Moving assigned encrypted users to a different OU in same AD - can they still logon?

Jump to solution

I think your problem will come from group assignments - that's most likely to cause users to be removed from PCs. Individually assigned users <should> be fine since they will be assigned by virtue of their DN, which shouldn't change due to group assignment.

A simple test would be to make sure that's true - check a users DN doesn't include anything which changes as you move them around in the domain.

0 Kudos
jmcleish
Level 13

Re: Moving assigned encrypted users to a different OU in same AD - can they still logon?

Jump to solution

mmmmmm.... but the DN will change when you change OU: CN=TestEEuser1,OU=Users,OU=NCHH,DC=fully,DC=qualified,DC=domain,DC=name, even on individually assigned users, though my testing showed the new DN once i moved an individually assigned user who could still ogon.

so i'm confused...

0 Kudos
McAfee Employee

Re: Moving assigned encrypted users to a different OU in same AD - can they still logon?

Jump to solution

The user is tracked on the client system using the AD GUID for the user. Because these GUIDs are different depending upon the domain there is not a method to update the existing user for Domain 1 with the attributes for the user from Domain 2. This means the users from Domain 1 must be removed and new users from Domain 2 added.

0 Kudos
jmcleish
Level 13

Re: Moving assigned encrypted users to a different OU in same AD - can they still logon?

Jump to solution

Thanks, but we are not moving domains. The users are just moving organisational units within the same domain.

So if the users are tracked by the AD GUID then there should be no issue with moving them to an different OU then?

Is the linkage between the user and AD GUID within the DB then- what table is this in? In the mfeepe log- what GUID is used for the user- is this a specific to ePO because its not the AD GUID.

Thanks

Jane

0 Kudos
McAfee Employee

Re: Moving assigned encrypted users to a different OU in same AD - can they still logon?

Jump to solution

Sorry, I guess I should have read the thread a bit closer. This shouldn't be an issue at all and I have tested this many times. The user will remain assigned and the token will not be reset by moving the object to a different OU in domain.

The GUID as seen in the MfeEpe.log is HEX version of the the users AD GUID.

0 Kudos
jmcleish
Level 13

Re: Moving assigned encrypted users to a different OU in same AD - can they still logon?

Jump to solution

Fantastic!

Thanks for this information.

0 Kudos