5 Replies Latest reply on Jan 28, 2009 12:00 PM by DLarson

    AD Password Expiration and Device Encryption


      I'm trying to understand a problem I have with passwords and safeboot on a straight XP/AD/Device Encryption system.

      At present:

      User has device encryption

      User gets message saying password is going to expire, user uses CTRL+ALT+DEL to change password, password sync's with Device Encryption on next reboot.

      Users password expires, user changes password, password does not sync on next reboot.

      Why not?

      Kind Regards

        • 1. RE: AD Password Expiration and Device Encryption
          Hi Elric,

          Can you let us know what build of SafeBoot/MEE that you're running? Also, are you using the standard MSGINA? When the users password expires, how are they notified and how are they changing their password? Is this all happening through the MSGINA on the device that's encrypted, or are there 3rd party tools involved in that part?

          Could you post a client log of when the password expires and the user changes it?

          • 2. Reply
            Hi Chris,

            Here's some of the info to be getting on with.

            SafeBoot Client (v5.1.5)
            Safeboot admin (v5.1.5.0)

            The MSGina is the standard windows XP one, they are notified by the standard windows
            password message "Your Password Has Expired and must be changed". User does the usual new password, confirm password.

            No other third party tools are being used other than the Safeboot Device Encryption.

            I'll post a log of an expired password when I get one (Will be monday now)

            Thanks for the prompt reply.

            Kind Regards

            • 3. RE: Reply
              Did you check the machine settings for synching passwords or usernames must match (whatever the correct verbage is, at home now)?

              Also, does your SafeBoot username exactly match your Windows login? If using UPN, read the other articles on this forum.
              • 4. reply
                yep the username must match the windows user name. This is done via the ad connector, so the user is permissioned to a specific usergroup within AD which ties in via a corresponding group in Safeboot.
                • 5. RE: reply
                  We need to see the client log from a system when this happens. I want to see if the client log shows the "sending local token changes to database" and "sending local SSO changes to database". If both of these are present and the client *still* doesn't take the new password, then we have a real problem.

                  We also need to know exactly which Windows Logon options you have checked in the Machine properties. Finally, we need to know if this is a Vista or XP machine. If it is Vista, SSO will only work if you have ALL Windows Logon options checked.