Our security dept sees this scenario as a possible issue.
Our Encryption policy is set to enable SSO, Must Match User name, and Synchronize EEPC password with Windows.
We currently don't set password rules, because the intent is to use the AD domain password which already has restrictions.
So the user boots up to the PBE, and decides to change his/her password to other than their current domain password. They use this new password, and, I would expect, since it is now different than thier domain password, that SSO would fail. It does not, the user goes right into the desktop with access to all AD resources without ever having to enter thier domain password!
I think you can see why this might be cause for concern. To make matters worse, this "new" non-AD password the user has created, gets stored in EPO, and is now available at ANY Encrypted PC the user is authorized at.
Is there a way to defeat this? Apparently, if you change your password in Windows, it synchronizes with EPO but not the other way around. If only there as an option to remove the Change Password option at the PBE, (except for the recovery process odf course).
What is the solution to this delema?
You can disable password change in the PBA - that's one of the standard policy options. (prevent change)
The problem you are seeing is because EEPC keeps the windows creds and EEPC creds separate - they can quite happily be different, and many customers rely on that.
EEPC only ever syncs Windows password changes to EEPC, never the other way around.