I am hoping there is a way around this... Im using EE 6.0.2 and if in AD I move an encrypted PC to another OU (user switches departments, etc..) and synch my AD, the next time pre-boot is presented on that PC, that user cannot login. I get an unknown user message. If I check the PC in EPO, the encryption user list for the PC is blank.
I do not have the 'Add local domain users' option checked in the policies. Not sure if this is the solution or if there is another way to stop the users from being removed, in effect causing the user to have to re-enter their security questions, etc.Message was edited by: Jack Siergiej on 12/3/10 2:27:33 PM CST
I've had a number of issues with machine accounts dropping users, with unfortunately little progress in resolving other than to not sync with AD. Selecting the option you mention should resolve the issue, but I recall that doing so and adding users manually causes issues as well. Unless McAfee has a solution, this is a significant issue with this product.
Unforunately, selecting the "Add Local Domain Users" does not resolve the issues. Yes, it puts the users back, but not after removing them following the AD sync. The fact that its a "re-add" of the users, causes them to have to put in the default password again and redo their security questions.
I will be calling in on this on Monday. This is just another one to add to the ever growing list.Message was edited by: Jack Siergiej on 12/6/10 7:30:48 AM CST
Any updates Jack? Unfortunately I was never able to make any progress on this issue other than to stop syncing AD, which I don't plan to do forever but can't much help right now. If you're able to discover anything I'd be most interested to hear about it.
Going through McAfee support now. I actually have a Tier III rep assigned to me due to all the issues I have found with the software that have ended up going to Tier III. I just got off the phone with my account rep and this one is getting escalated as well.
I initially got a response from the Tier I tech stating that he discussed the matter with Tier II and they said it was "Normal" operation that after a machine is moved in AD, the sync deletes the machine from the old location and re-adds it to the new location in EPO. This, as you know, removes the encryption users and causes login issues. He said they were looking at changing it in EPO 4.6, but who knows when that will be released.
I told him that this behavior is not normal and should not be seen as such. It is a major issue that needs to be escalated to Tier III for a patch since the AD sync is basically useless when combined with EEPC and can cause some real problems if a number of PC's are moved around. So we will see where this goes, because I do not plan on stopping the sync and manually creating machines in EPO and AD. Thats just unacceptable.Message was edited by: Jack Siergiej on 12/7/10 9:00:01 AM CST
Here is the rundown:
The inital problem of moving the computer in AD and not deleting the users was addressed and resolved (somewhat) in EPO 4.6. However, the issue was not completely fixed. If you move a computer "up" in the AD tree, nothing happens (which is great), but if you move the computer down, in the tree, the computer is deleted / readded and users are removed. So, machines moving from a lower point to a higher point are not affected, but vice versa the users are still deleted.
I got this response from McAfee just this past monday (8/08/2011)
"Currently engineering is creating working on a fix for this issue. We are expecting a fix to make it into ePO 4.6 Patch 2. But if those timelines change we will let you know."
The suggested workaround is to change the setting "Delete the systems form the System Tree" to "Leave the systems in their current location in the System Tree". This will prevent the machine from being deleted and will move the system to its new location. Note: Systems that have been removed from AD will not be removed from the system tree unless a cleanup task is run.