cancel
Showing results for 
Search instead for 
Did you mean: 
zarberg
Level 10

Non-domain laptops not picking up local user accounts for PBA

Jump to solution

A bit of background:

I work for a state that made an IT policy/law that says any agency mobile device must be encrypted. I have a department head who wants to setup laptops for training purposes only but doesn't want them on the domain (I don't make requests, I'm just forced to follow them). So I have a laptop in a workgroup that's joined to ePO and it doesn't seem to be picking up any of the local users for PBA. What could I be missing?

0 Kudos
1 Solution

Accepted Solutions
SafeBoot
Level 21

Re: Non-domain laptops not picking up local user accounts for PBA

Jump to solution

why not just do that and add the admins then just as a recovery option? no need to add a sketchy audit-failure user to your domain if you're going to store the key on the hard disk anyway.  Your company already gave up safe-harbor protection by not covering the "authentication" clause, so why make life harder than you need?

0 Kudos
11 Replies
SafeBoot
Level 21

Re: Non-domain laptops not picking up local user accounts for PBA

Jump to solution

Did you assign any users to the laptop? The "Automatically add domain users" option is not going to work (there are no domain users on a non-domain laptop).

Message was edited by: SafeBoot on 4/10/13 3:22:26 PM EDT
0 Kudos
zarberg
Level 10

Re: Non-domain laptops not picking up local user accounts for PBA

Jump to solution

Then I suppose I should ask this:

Can you even add non-domain users through ePO?

Or should I just create a generic domain ID that has no rights to anything else for the purpose of these laptops?

0 Kudos
SafeBoot
Level 21

Re: Non-domain laptops not picking up local user accounts for PBA

Jump to solution

No, EPO only supports domain users, so even though the machines are not part of the domain, the users must be, even if they only use their domain identity within EEPC - it's really only so there's some UI to manage them etc. EPO will get user management in EEPC 7.1 etc.

So, you need to add names for your users to your AD, then assign them to machines.

Don't create a generic shared ID - that defeats all the rules of auditability and accountability, plus everyone will end up using the same password (or changing each others password). Each user must use a unique user ID.

Even though the laptops are for training, I'm surprised the users using them don't have domain user accounts?

Message was edited by: SafeBoot on 4/10/13 3:30:07 PM EDT
0 Kudos
zarberg
Level 10

Re: Non-domain laptops not picking up local user accounts for PBA

Jump to solution

Shared usernames and passwords are bad. You know it. I know it. I've told the department head this. I've told (through my boss) his boss this. I've been told to do things this way anyway.

The bottom line is I've been told to setup (against my recommendations) a single username whose password is the same as the username, and I need to/intend to do just that. I'm just trying to find the technical tools to do that.

0 Kudos
SafeBoot
Level 21

Re: Non-domain laptops not picking up local user accounts for PBA

Jump to solution

You know that the first time someone changes "their" password on one training machine, it will replicate that out to all the other machines?

0 Kudos
zarberg
Level 10

Re: Non-domain laptops not picking up local user accounts for PBA

Jump to solution

I'm quite aware. I've been told to set the passwords to never expire.

Heck, I'm thinking of just asking if I can set the "bypass preboot authentication" option and have it expire in 2097.

0 Kudos
SafeBoot
Level 21

Re: Non-domain laptops not picking up local user accounts for PBA

Jump to solution

why not just do that and add the admins then just as a recovery option? no need to add a sketchy audit-failure user to your domain if you're going to store the key on the hard disk anyway.  Your company already gave up safe-harbor protection by not covering the "authentication" clause, so why make life harder than you need?

0 Kudos
zarberg
Level 10

Re: Non-domain laptops not picking up local user accounts for PBA

Jump to solution

Yup, already typing up that e-mail as we speak, trying to outline the technical situation in as layman terms as possible.

Thanks for the info/ideas!

0 Kudos
SafeBoot
Level 21

Re: Non-domain laptops not picking up local user accounts for PBA

Jump to solution

you are quite welcome. Good luck! Shame you're not on v7 - then you could look at the reactive-autoboot mode. That would stop people getting access outside your network anyway.

0 Kudos