cancel
Showing results for 
Search instead for 
Did you mean: 
erniev74
Level 7

Password Change after a Support Call

Jump to solution

Hi Everyone!

I have a question I haven't been able to find anywhere in McAfee Endpoint Encryption Documentation. Maybe you can guide me on the right document or a simple explanation would suffice.

When a user calls because he forgot his password to the helpdesk, the helpdesk goes to active directory and resets this password, after this happens if the user restarts the machine EEPC will request the old password. But after a while the password gets synchronized. What is the trigger that makes the password sync? Is it something server side or client side?

The second question would be, what is the right process for an admin to change a users password?

Thanks in advance for your responses!

0 Kudos
1 Solution

Accepted Solutions
dwebb
Level 12

Re: Password Change after a Support Call

Jump to solution

The key thing to understand here is that Windows will *not* inform EEPC about any password changes made at the AD server, and thus we cannot sync Windows user passwords to EEPC passwords when the password change is made at the server.  This is for security - I am sure that you would not wish AD to broadcast your new password to anyone that asked for it :-)

In contrast, when the Windows password is changed at the client (perhaps through Ctrl-Alt-Delete, for example), the Windows client does notify us of the new password and we can then synchronise this password across into the EEPC password for the user.  Since EEPC runs in the system context on the client, Windows will allow this to happen.

Thus:

Password change at AD:          Sync from Windows user->EEPC user is not supported

Password change at client:       Sync from Windows user->EEPC user is supported

I hope this clarifies things for you.

0 Kudos
16 Replies
erniev74
Level 7

Re: Password Change after a Support Call

Jump to solution

This is EEPC 6.2

0 Kudos
mat.kordell
Level 12

Re: Password Change after a Support Call

Jump to solution

1) passwords sync via mcafee agent communication (ASCI).  If the user is stuck at pre-boot authentication it will never sync.  This will change in version 7 on systems with specific intel CPUs through the use of mcafee deep command.

2) follow the recovery procedures appropriate for your setup in section 8 of the product guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23743/en_US/...

0 Kudos
erniev74
Level 7

Re: Password Change after a Support Call

Jump to solution

Hi, thanks for your answer in the first question.

About the second question, the question goes more into how I change the windows password as a domain admin and make sure it syncs to the EEPC. Because the behavior we are seeing after a password change in the domain is erratic. It does not sync immediately, I have to reboot twice for the EEPC to sync the windows password again. Is there a right procedure to ensure the sync happens?

0 Kudos
mat.kordell
Level 12

Re: Password Change after a Support Call

Jump to solution

It should sync with eepc upon login then be written to the PBFS (pre boot file system) after the first ASCI which I beleive is 5 min by default.  To make things happen imediately I open the agent monitor and run the top four buttons, send events, collect all props etc.  I'm sure you don't have to press all four but doing so actually makes some things happen twice incase something required sending an event on one ASCI and receiving a task on the second or whatever.  Anyway, it gets the job done.  If doing it remotely run agent wake up with force send all props.

Be sure to open the encryption monitor so you can see when it has finished updating PBFS, it will say "enforcing policies" when it's done.  Or wait at least 1-2 minutes after the ASCI/wakeup to reboot.

0 Kudos
Timmah
Level 11

Re: Password Change after a Support Call

Jump to solution

Hi there!

AD passwords and EEPC passwords are disjoint. The only time they might get synchronized is if you use SSO. Are you using SSO?

Cheers,

Tim

0 Kudos
erniev74
Level 7

Re: Password Change after a Support Call

Jump to solution

Yes I am using SSO!

I am going to try to click the four buttons to see if it works, though I believe I have tried this before.

0 Kudos
dwebb
Level 12

Re: Password Change after a Support Call

Jump to solution

The key thing to understand here is that Windows will *not* inform EEPC about any password changes made at the AD server, and thus we cannot sync Windows user passwords to EEPC passwords when the password change is made at the server.  This is for security - I am sure that you would not wish AD to broadcast your new password to anyone that asked for it :-)

In contrast, when the Windows password is changed at the client (perhaps through Ctrl-Alt-Delete, for example), the Windows client does notify us of the new password and we can then synchronise this password across into the EEPC password for the user.  Since EEPC runs in the system context on the client, Windows will allow this to happen.

Thus:

Password change at AD:          Sync from Windows user->EEPC user is not supported

Password change at client:       Sync from Windows user->EEPC user is supported

I hope this clarifies things for you.

0 Kudos
mat.kordell
Level 12

Re: Password Change after a Support Call

Jump to solution

Um... That's not true...  It syncs all the users/groups that you specify in epo...

0 Kudos
dwebb
Level 12

Re: Password Change after a Support Call

Jump to solution

Hi Mat, we don't sync passwords from AD since there is no way to do so.

0 Kudos