1 2 Previous Next 11 Replies Latest reply on Feb 11, 2010 9:17 AM by hasi99

    Force Synching Password

      We have a website for users to do a self-service password-reset of their AD accounts. Whenever this is done, I would like to synch this new password with the user's (local) SafeBoot password. I can use the "ResetPassword" API (initiated from our website) to set the password on the SafeBoot server itself, but how do I get this changed password (immediately) to the client? Yes, I know that I could wait for the client to synch (eventually), but this will cause problems if the user logs off before this synch takes place.

      It looks like the only script option for this type of synchronization is initiated from the client (using ForceSynch). Is this possible to do this through the server itself?

      So basically, I am looking for the same functionality that I get by right clicking on the machine in Encryption Manager and selecting "Force sync"--that is, initiating the synch from the SB server vs. from the client).

      Ideas?
        • 1. RE: Force Synching Password
          Hmm, haven't looked into it (no SB/EE environment at home), but if you can dump the list of machines the users are assigned to, you could script (Altiris, SMS, PSExec, etc) a solution where you'd force the computer to run ForceSync?

          I'll play tomorrow to see if there might be a better idea happy
          • 2. RE: Force Synching Password
            Sorry, I don't see anything else in the docs that might help force the sync down from server side. I think you're looking at a client side ForceSync to accomplish this - you've just got to engineer the solution that triggers it.
            • 3. RE: Force Synching Password
              There is not currently a product feature for this. The only way you could do it would be somehow detect the change on the client (perhaps a bit gets flipped in the registry) and check for that change in a programatic way (maybe a logoff script). The script would have to call our ForceSynch command, as you rightly suggest.

              I have had some customers implement a logoff script that does a ForceSynch on shutdown. This adds more value than just catching password changes; it makes for more accurate reports and ensures policy changes are actually enforced.

              I suppose you could reduce the risk by simply modifying your sync interval. How many clients do you have?
              • 4. RE: Force Synching Password
                5000+.

                Actually, I am thinking that adding it to the logoff script might just do the trick. Not ideal, but workable. But I am wondering if the "Friday Syndrome" might overtax the server (that is, everyone leaving at the same time at 5:00 and trying to synch at logoff). Much the same way that the synch is delayed in the morning to avoid such a scenario.
                • 5. RE: Force Synching Password
                  from your website, how will you know what client to sync the new password to?

                  from the IP address of the connection?

                  if you do know the machine name, use something like sysinternals psexec to simply run a force sync on that box?
                  • 6. RE: Force Synching Password
                    Spolok, what is your sync interval set to? Also, how many users are assigned to each machine?
                    • 7. RE: Force Synching Password
                      Hmmm, hadn't really thought of how we would get machine name. We could we perhaps dump the user audit and see which machine was last logged into successfully?

                      Synch interval is 120 minutes. Most of our machines will be 1 user per machine (at least for the sake of this discussion...) wink
                      • 8. RE: Force Synching Password
                        if the machine didn't sync yet, then you won't be able to tell from the user audit which machine they are working from. Not with any certainty anyway.

                        Best to look up their IP address from the connection I think. psexec should be able to handle \\ip notation?

                        of course you could always use client side scripting - you might need to sign it etc to get the client browser to accept it but that might be even easier?
                        • 9. Re: RE: Force Synching Password

                          Hi,

                           

                          Newbie here, you mention in this thread that you have customers who have a logoff script to do a forcesynch on shutdown, can you give me any guidance as to how I might achieve that please ?

                           

                          We are currently running 5.1.8 EEPC

                           

                          Many thanks.

                          1 2 Previous Next