This content has been marked as final. Show 7 replies
We have a couple groups in the global groups ou that we sync with the AD import tool.
We put users in the groups as they are assigned laptops.
For disabled users, when the AD account is disabled, safeboot picks that up the next time it syncs.
I thought this was supposed to be the case, but this doesn't happen for me. I'll have to check out why.
Sorry, this does happen for me - I'm not sure what made me think it wasn't happy
We had recently done a migration / import of an AD domain for a plant in Mexico. Everything went fairly well.
A few weeks later, all the safeboot users from that plant were calling in saying that they could not log in. It took us a few hours to track down that the admin in the old domain would expire accounts every 60 days, and every 45ish days would just move the expire date out another 60 for employees there were still employed. It was his 'auto disable' routine.
That's when we figured out that safeboot pulled in the 'disabled' status from AD.
Best practice (for speed anyways) is, from what I've been told, to sync against groups and not OUs. Just importing users that actually need encryption saves licenses as all accounts (both computer and user accounts) take up a license whether in use or not.
On which builds are the disabled users not being treated as disabled by Endpoint Encryption?
Turift - it is happening for me. I went to check and didn't read the property correctly. Active Directory has "This account is disabled" which is checked, and then looked in M.E.E. and didn't see the check, but the phrase is opposite (you check to Enable, not to disable), so I was just temporarily confused :)
But disabled accounts obviously take up a license, too. I'll probably come up with some process where we audit accounts and if they've been disabled longer than some period of time we'll remove them from the OU or Group for Endpoint Encryption in AD and delete the object in the console.
If you can't find a good OU or Group to find your valid encryption users, you could look for a way to exclude people that would never use one. Something like (|(EmpStatus=Contractor)(AccountStatus=Retiree)). You may have to make adjustments for AD, as we use a generic LDAP connector.