I'm starting a rollout of EEPC 6.1.3 and am getting a bit confused concerning Users and Group Users. Here is the scenario:
Our ePO directory is setup by our organization's departments. (For instance, all machines in Accounting are in a group called ACCT.)
Rollout will involve 50 laptops. 40 of these are in one department which will have multiple users logging into each. Some users will be attempting to log in while not on the network. The remaining 10 will be on laptops in various departments and should only have one user logging into each. The rollout will be a very "hands on" event, with our Desktop Support staff assisting with each laptop.
I've checked the EE components into ePO, registered my AD domain controllers in ePO, created a daily sync task, and set up the Product Settings Policy and the User Based Policy as per the Best Practices guide. I've also created two "deploy" tasks; one to install the Agent and the other to install the software. I've created a Tag (EEPC Deploy) which I will manually assign to each of the 50 laptops. This same Tag I'm using in the two Deploy tasks to ensure that EEPC will only be installed on the proper systems.
I've created a new AD group (EEPC) with the thought of putting all end users of these 50 machines in it and then assigning this group to the root of my ePO tree which will propagate down through the rest of the tree. My reasoning is that the end users should then be "users" of their laptop regardless of where the laptop is in the ePO tree. (I've tested this on one laptop with my own and a colleague's domain account and it seems to work fine.)
I thought I was doing pretty well with this scheme until I read the following in the Best Practices guide (also repeated in the Unofficial Quickstart Guide):
Group Users are EEPC user accounts that will be provisioned to every encrypted machine. These are meant as admin accounts that can be used for troubleshooting or support. In this example, they are essentially back door accounts that can log in to any system that you encrypt. For production, we would not recommend having back door accounts but it tends to make things easier during an evaluation or proof of concept.
Further researching seems to indicate that most people add Users right at the machine level. This seems like a lot of work. What am I not understanding? How can I make this rollout better, or more effecient?
Thanks in advance!