1 2 Previous Next 14 Replies Latest reply on Sep 13, 2011 2:58 PM by victoria77

    Provisioning Users to Machines in EEPC 6.1

      I am having some difficulty provisioning users to machines in EEPC 6.1.  Most of the machines I am setting up are loner laptops.  These machines require access for:

      1) the user

      2) administrators

      3) IT Security (will use admin recovery for this)

       

      I have set up EEPC according to the instructions in the unofficial quickstart guide and have also read DLarson's "How to Provision Users to Machines in EEPC v6".  In that blog it states that loner laptops will require a different provisioning strategy than is recommended in the blog, but does not suggest what that strategy should be. 

       

      There are 3 ways to provision a user to a system:

       

      1) Individual assignment via the Encryption Users screen in ePO - using the password in the User Based Policy

       

      2) Group Users assignment via the Encryption Users screen in ePO - using the password in the User Based Policy

       

      3) Automatically add users found on the endpoint via the Add Local Domain Users policy option in the product settings policy - this seems to only work for users that are currently logged in or have been logged in and does not appear to work if you add a group of users.  If I add a user account to the admin group on the laptop and do not log in with it before encrypting, I am unable to log into system with this account after the system is encrypted.  Is that how it is suppose to work?

       

      My problem is this -- if I use option #1 and #2 for the users and admin, they have the same password.  It is a problem to have 20 administrators with the same password and unlikely to be able to get them all to log in to change it for every system.  Option #3 will not work for groups of users and I would have to get the user to log into the laptop before encrypting in order to have their account added.

       

      How is everyone else provisioning user accounts in EEPC?  Am I missing something?  Any help would be GREATLY appreciated.

       

      Thanks!

        • 1. Re: Provisioning Users to Machines in EEPC 6.1

          you are missing something

           

          all your machines are going to talk to each other and exchange password change information - so once someone changes their pwd on one machine, it will tell all the others about the change.

          • 2. Re: Provisioning Users to Machines in EEPC 6.1

            Thanks for your quick reply.  I feel like I am missing a alot.

             

            But in order for what you said to work, everyone in the group users and individual users will have to change their password on at least one machine before their password is no longer the one in the user based policy?  I don't want anyone to be able to log in as someone else because they know what the default password is.

             

            Could you confirm (or deny) that what I have found about the add Local Domain Users  is true (or false)  - if you add an account to a system before encrypting, but do not log in, then encrypt, you will not be able to log in with this account?  I am wondering if this is the design or if there is something wrong with my set up.

             

            Thanks!

            • 3. Re: Provisioning Users to Machines in EEPC 6.1

              yes, you have to change your password before it's not the default - that's what happens in any password based system?

               

              no, what you've found should not be true - what error message did you get?

               

              I think it would be best if you got your professional services team back in to help you set things up properly - it would seem like they left without really handing over all the knowledge you need?

              • 4. Re: Provisioning Users to Machines in EEPC 6.1

                I have changed the password so it is not the default, but everyone added using group users and individual users via the Encryption Users screen in ePO will still have the password that is set is the user based policy, correct?

                 

                The error message is Error EE050002 Unknown User.

                 

                We have not been using a professional services team.  Maybe we should

                • 5. Re: Provisioning Users to Machines in EEPC 6.1

                  the error simply means you're typing a user name not recognized by the system, so either it's not an assigned user, or you set up your AD interface to import the user using some other format of their name like lastname, firstname etc.

                  • 6. Re: Provisioning Users to Machines in EEPC 6.1

                    The user names are in the administrators group on the system and are valid accounts in AD.

                     

                    If I assign a user using group users and individual users via the Encryption Users screen in ePO I am able to log in, but the accounts I added to the system before encryption (the Add Local Domain Users option is selected,) give me the Unknown User Error.  The account I was using to install the encryption software works fine though.  When I registered the AD server and tested the connection it was suscessful.

                     

                    AD is using samaccountname for the username and display name.

                    • 7. Re: Provisioning Users to Machines in EEPC 6.1

                      I'm not sure how you added accounts to a system prior to installing it? Usually you'd add accounts at a higher level - like an OU level for example and use the policy relationships?

                       

                      the add local domain users (ie, users from the domain who have local cached profiles, NOT Local users) can only be applied after activation, because before then, how would it know who they are?

                      • 8. Re: Provisioning Users to Machines in EEPC 6.1

                        Once again, thanks for your reply.

                         

                        I was referring to adding the local domain accounts to the system before installing EEPC (using My Computer / Manage on the system) .   After I added the local domain accounts to the system,  I ran the task to install the EEPC agent and then the software.  Once the hard drive was fully encrypted, I rebooted and tried to log in as one of the local domain users.  I got the unknown user error.  I then logged in as myself and verifyed the local domain users were present on the computer, forced an update on the system from both the system and the ePO console and rebooted again.  I am still unable to log in using a local domain account. 

                         

                        The EEAgent does not seem to be collecting the currently/previously logged in domain users information and sending it to the ePO server.

                         

                         

                         

                         

                         

                         

                         

                         

                         

                         

                         

                         

                        • 9. Re: Provisioning Users to Machines in EEPC 6.1
                          whgibbo

                          Hi,

                          You can check to see if the local domain users have been assigned to the machine.  Login to ePO

                          1. Clieck Menu
                          2. Click Data Protection
                          3. Click Encryption Users
                          4. Navigate the system tree to the required machine.
                          5. Tick the machine, then click actions and view users.

                           

                          If it was added then it will appear it..

                          1 2 Previous Next