This content has been marked as final. Show 6 replies
you can't pass it in and out of the preboot as there's no network at that stage.
If you're wanting to automate the password reset, there's a bunch of simple API commands you can use with other password management software to change, recover, manage the endpoint encryption passwords. Your unified password management provider should be able to take them and add support for the encryption passwords into their solution.
You can reset the password locally, boot the machine to pick up a new password (if it can get online), and set passwords for endpoint encryption all through the API. You can even do a local password change if you first recover the machine.
So the flow would look something like this -
1. User has forgotten their AD password which is "dog1" and they are at the Pre-OS screen.
2. At the Endpoint Pre-OS screen they change their Endpoint password to "12345."
3. At this time their AD password is still "dog1" but they would still log into windows because Endpoint still has the correct password on the local database?
4. The user would reset their AD, Mainframe or AS/400 password to "cat1."
5. Using API connections their Endpoint password would be reset to "cat1" also?
Please pay special attention to step number 3. I tested the self-service password reset and it seemed that Endpoint still had my old AD password. At the GINA Endpoint must have passed my AD password and let me right into the OS. Is there a way to change the behavior to stop at the GINA if a Endpoint password reset has taken place at the Pre-OS screen? I would not want a user to believe that all/any of their other passwords have been changed since they were logged into the OS with their old/forgotten password.
No, there's no way to do what you suggest with the current product. We assume that the helpdesk will reset the users AD password if needed at the same time.
remember, not everyone uses the windows login options, so we need to keep the two very separate.
I guess the ultimate goal is to reduce the number of steps a users has to take. If they have to call the help desk to reset their Endpoint and AD it defeats the purpose of self-service resets. From what I can find most of the calls do not involve Endpoint, rather they are already at the Windows screen.
One last question. When I used the self-service reset on Endpoint why did it allow me to pass into Windows and not fail at the login? Is it because my AD password had not change, only my Endpoint?
exactly - EEPC still new what your (correct) AD password was.
Ok that make sense now. Thanks for all you help and keep up the good work!