5 Replies Latest reply on Jan 23, 2009 11:09 PM by mrgui

    AD and Password sync

      This may be asimple question but here goes anyway. If the object database uses the Active Directory connector. Will the password sync as well? For example when user A changes his Windows password on a desktop not using SafeBoot then later logs into his laptop, will single sign-on work (assuming the laptop is in contact with the object database)?
        • 1. RE: AD and Password sync

          Hi LMS44 - welcome to the forums happy The password will never synchronize between AD and SafeBoot. If configured to do so, the password will synch between the SafeBoot client and the SafeBoot database, however. The benefit of this is that if you encrypt another system for the same user, it'll bring down his "current" password and not reset it back to 12345 or your specific default on the new system. If the user has multiple encrypted systems, it will keep those in synch, so long as they're on the network to get the updates from the SafeBoot Database.

          The downfall is that if a user uses a system and then doesn't get back to it for 180 days or so, he may not remember his "old" password, and it wont be using the AD password either. It all depends on your environment.
          • 2. RE: AD and Password sync
            The AD connector can't sync the users password, for a start, the AD doesn't know what it is (only a one-way hash, which is not accessible anyway).

            so no, if you change your password on a client without Endpoint Encryption for PC's on it, the system won't know about this change until SSO fails (with the wrong credentials). THEN we'll pick up the change.
            • 3. RE: AD and Password sync
              Thanks for the information. It is a problem with us as we have about 50 users that have laptops as well as desktops. The laptops only occasionally connect to the network and since we are required to change passwords every 60 days the passwords are always out of sync. We added local accounts on the laptops as a stop gap measure but obviously that is not very secure. Sounds like this would exacerbate our problem. sad
              • 4. RE: AD and Password sync
                It's a shame you don't use any third party password sync tools - most of them have hooks that can be used to change the EEPC password as they go.
                • 5. RE: AD and Password sync
                  You could also upgrade to build 5500. It has an offline "self recovery" where they can answer their own questions (favorite food, high school, first dog's name, etc).