I think that the issue you will need to over come is the partition size to host that number of users.
Secondly, the logon times will be measured in days.
We have some devices with 300-500 users total on them. They take minutes to get to the windows logon screent, and we are using 6.1, with 6.0 it was still longer.
Are you using the newest processors? If so they may help some of the marketexture shows faster performance with logins.
And dont forget that you will need to sync those peoples credentials at 100/cycle, so thats 25 cycles, how often are passwords, resets, users and how often are you syncing.
Support blanched when we would say we had 300 on a machine.
We're trying to get over 1000 for loaner laptops and conference room laptops. No dice. Support said no, yet I've read where others do it even with the 20MB PBFS. I increased to 100MB and let the PC stay on over a 4 day weekend. Even did several manual collect and send props. Different results on two different, identical laptops. I'm just giving up and we're going with desktop in those areas - not sure what we're going to do with loaner laptops since policy requires PBA. Also, we support starts to squawk when we get over 300 or so users, why do they put the option to add users by OU? Not "too many" OUs in an enterprise environment with < 300 users, maybe some. I at least feel that there should be a MAX user limit in some type of text on the Add Users page. They shouldnt have to wait for an Enhancement Request for this.
I would recommend that if you are not using smartcards, remove the certificate sync from th LDAP sync task (set the field to empty). You may have certs in AD which are being pulled across and are stored in the Preboot filesystem yet add no value (certs are only required for smartcard authentication). This should mean that you can squeeze a lot more users into a 20MB PBFS.
I would also be interested in more details on the time-to-windows-logon with a large number of users.....is the bulk of this time getting through the preboot process, or is the bulk of the time after Windows has started up but before the login prompt is displayed?
Also removing unwanted self recovery questions from the User Based Policy will also increase the number of users that can be stored in the PBA.
I feel your pain on the loaner PCs and classroom PCs. They are classic problems for full disk encryption + pre-boot authentication technology. I would recommend instituting a process for the loaner laptops whereby the systems have pre-boot auth enabled but have to call the helpdesk to get provisioned to the system.
The process would go like this
- User boots loaner laptop
- User is stuck at pre-boot screen, but the logon message tells them to call the helpdesk to get provisioned
- Helpdesk then does a boot once recovery to get them into Windows
- Helpdesk uses ePO to provision the new user, then wakes up the agent to push the new user down
- End user view the EEPC status screen to validate the sync completes
- User is now provisioned
There are some cool things we could do to solve this with our forthcoming Intel integration. Since that will give us a network stack in the pre-boot environment, we could push the user down without having to first do a challenge response to get into the OS. Or at the very least, we could eliminate the challenge response from the process and instead do an immediate boot once, like in this demo http://www.youtube.com/watch?v=vwvvXslyZ2A. In fact, you could automate the whole thing if you used the ePO 4.6 web API to pre-provision user accounts in ePO. Then when the system got to pre-boot it could query ePO (using the new network stack from Intel) to see if any new users were assigned. Oh that would be cool! Of course, this Intel stuff is not out yet and this is in no way a commitment to deliver that - I just want to show what would be possible.