9 Replies Latest reply on Feb 26, 2013 10:37 AM by SafeBoot

    EEPC Self-recovery?

    sokam

      How to resolve the following scenario in EEPC v6.2.1:

       

      SSO is enabled

       

      1.  User forgets her password and uses self-recovery to reset to a new password

      2.  User locks system to step away from system

      3.  User returns and tries to unlock system using the new password

      4.  System does not recognise the new password

       

      My questions are:

      a).  At what point will this new password in EEPC sync with windows or AD?

       

      b).  How do I resolve this issue

       

      c). What does  other forum users overcome this situation?

       

      Message was edited by: sokam on 04/02/13 06:41:08 CST
        • 1. Re: EEPC Self-recovery?

          Did they reset their eepc password with self recovery, or their windows password? The eepc password will be set to the windows password only during a windows change password event.

          • 2. Re: EEPC Self-recovery?
            sokam

            She reset her password via the PBA screen using the Self-Recovery option.

            So how does she get the password she reset via eepc set to the windows password - in other words when does the "windows change password event" occur?

             

            The user is now stuck at the moment because Windows does not recognise her new password.

            • 3. Re: EEPC Self-recovery?

              Changing the EEPC password does not affect the Windows password - The problem is, your user does not know her Windows password. There's never been any feature in EEPC to touch or modify the windows passwords, only the reverse - the Windows password is replicated to the EEPC password when the user does a password change (of the windows password) within Windows itself.

               

              This is not something EEPC can solve, you need to use some other technology to allow remote change of a users Windows password.

               

              If you didnt have EEPC installed, and the user forgot their Windows password, how would you resolve that? It's the same process now.

              • 4. Re: EEPC Self-recovery?
                sokam

                Thanks for the prompt and clear response.

                 

                Just to clarify the following:

                 

                1.  So what is the use case for the Self-Recovery option in EEPC e.g. for a user such as mine who is to connected to AD (in the office LAN)?

                What is the implication of not allowing users to perform self recovery?

                 

                2.  If I change the user's password in AD will this new password be replicated to EEPC?

                • 5. Re: EEPC Self-recovery?

                  1. To get the user to the windows login prompt, then you can use any one of a number of windows password reset tools, or if they are on the LAN, you can just reset it in AD.

                   

                  Eepc is not an "offline windows password reset" solution - there are a number of companies who specialize in that.

                   

                  2. No, the change has to happen on a machine running eepc, otherwise eepc can't see it happen.

                  • 6. Re: EEPC Self-recovery?
                    sokam

                    Thanks for the helpful responses,

                    What are the advantages and disadvantages of having the self recovery feature enabled?

                     

                    Message was edited by: sokam on 04/02/13 16:34:33 CST
                    • 7. Re: EEPC Self-recovery?

                      The advantage is they can reset their preboot password without your help.

                      • 8. Re: EEPC Self-recovery?
                        ascoyne

                        As SafeBoot states and from my experience and research EEPC never syncs with AD i.e. if a user changes their PBA password through self recovery the new password will not be "picked up" by Windows. The only way to get AD and PBA password to sync is for the user to do a Cltr+Alt+Del in Windows and reset their password.  What should happen then is PBA password will then match the domain password.

                         

                        If you use self recovery this should be the process:

                         

                        User uses self recovery to change PBA password and get past PBA - at this point the PBA password is out of sync with AD.

                        User logs into Windows using their Windows password - If the user can't remember their Windows password it will have to be reset by AD so they can login. If they are off the network, they are out of luck, unless you have another method to reset domain password like SSRPM.

                        To bring PBA and Domain password back into sync user MUST do a C+A+D password reset

                         

                        Three things to appreciate is:

                         

                        1) EEPC can only "listen" for a password change on the local machine i.e. C+A+D event

                        2) Changing the password in AD will NEVER be picked up by EEPC - it's important that your Help desk understand this concept

                        3) Changing your PBA password with self recovery is NEVER picked up by Windows - it is used purely to get they user past the PBA screen

                        • 9. Re: EEPC Self-recovery?

                          +1 what ascoyne said.