This content has been marked as final. Show 16 replies
Are your users changing their passwords by doing a ctrl+alt+delete and then selecting change password?
Or are they actually logging into windows with the new password?
I think, someone correct me if i am wrong, that SafeBoot only recognizes the new password once windows has been authenticated with the new password.
So for instance. If you have a user setting at the windows login prompt and you change their AD password and then they login to windows with the new password SafeBoot should see that and make the appropriate changes.
If you are already in windows, and you change their password in AD or by the ctrl+alt+delete and then selecting change password method you will need to actually log out and then back in again with that new password before safeboot will see the change.
Again, its been a while since i have setup SSO so someone correct me if i am wrong.
We have similar symptoms even when a user changes password when prompted by AD password expiry. Despite subsequent reboots etc the previous Safeboot password remains "stuck".
We also have same issue occasionally when the AD password is changed on another non safeboot machine or outlook webmail. But sometimes this works ok.
The only workaround is to reset SSO within Safeboot or sometimes we have found that forcing an AD password reset again works.
We are running 5.1.2 build 5130 so I am hoping that this issue will be corrected when we upgrade.
OK so i have been doing some testing. This is what i have come up with.
Check: Set Endpoint Encryption Password To Windows Password
Check: Windows Username must match
** If you login to SafeBoot with password1 and then your windows account is flagged to change password on next login and you change your windows password to something different it should automatically change SafeBoot to the same thing instantly.
** If you use the ctrl+alt+del and then choose change password from within Windows the SafeBoot password will not be changed until the next time you reboot, login to SafeBoot with your old password, and then login to Windows with you new password. After this extra reboot step your passwords will match again.
** If you login to SafeBoot with Password1 and then you call your help desk to have your windows password changed to Password2 and then login to Windows with Password2 your SafeBoot will not match until you reboot again, login to SafeBoot with Password1 and then Windows with Password2. After that step, your passwords will match again.
** If you are all the way into Windows and you for some reason would like your password to be changed to something different and call the helpdesk to have this accomplished and they change your AD account, the same steps as the last two bullets apply. you still have to reboot, login to SB with old password, login to Windows with new PW and then at that point you should be matching again on your next reboot.
It appears that the only REAL way to make this efficient is if your account expires and windows forces you to change your PW, at that point it works automatically. Any other method of changing your windows password requires that you reboot, login to Sb with old PW and then into Windows with new PW before they will match. A simple logout of windows and back in does not do the trick.
on a side note, changing your Windows password via OWA or on another machine is not quite the same. The change still must be made on the computer you are working on with SafeBoot before any real changes are made for that particular computer.
mwilke, I agree with all that you say, this is the way it should work.
Our experience is that on random occasions with different users & differenet machines despite numerous reboots sometimes the safeboot password will not sync to the AD password.
User error... has to be. The software doesnt work one way half the time and another way the other half of the time.
Here is what to remember.
When your first boot your laptop, and you first get to your windows logon box, if you logon right there and right there only with a password different than what you just logged into safeboot with, the change happens instantly and automatically.
The ONLY place safeboot flags this change is on the original first boot windows logon box.
If you change your windows password anywhere else, it doesnt take effect until you reboot, and login to windows from the start with the new password.
If you are having issues with only a handful of people, then those people are probably doing something wrong.
it is a very specific thing and unfortunatley there are a zillion different ways to reset windows passwords. It would be nice if SafeBoot could be flagged anytime and anywhere the windows password was changed but to my knowledge there isnt such a thing.
What do you do if a password expires and SafeBoot won't allow the user to login to Windows (SSO is on) to change their passsword? The user has changed their password in AD and rebooted their machine but since he can't log in as himself within SafeBoot it's not updating. Never seen this behavior before. He's tried both he old password and the new password.
mwilke, well if its user error then I'm one of them as its happended to me & at least 2 of my colleagues in IT !
I am not sure what you mean by safeboot not allowing the user to login to Windows? Are you saying the SB password expired and the user cant get passed the SB login or they get through SB and Windows SSO is failing due to the passwords not matching?
Could it have anything to do with your user properties password template? Are you using windows content rules there or do you have something different than windows?