Did you assign any users to the laptop? The "Automatically add domain users" option is not going to work (there are no domain users on a non-domain laptop).
Then I suppose I should ask this:
Can you even add non-domain users through ePO?
Or should I just create a generic domain ID that has no rights to anything else for the purpose of these laptops?
No, EPO only supports domain users, so even though the machines are not part of the domain, the users must be, even if they only use their domain identity within EEPC - it's really only so there's some UI to manage them etc. EPO will get user management in EEPC 7.1 etc.
So, you need to add names for your users to your AD, then assign them to machines.
Don't create a generic shared ID - that defeats all the rules of auditability and accountability, plus everyone will end up using the same password (or changing each others password). Each user must use a unique user ID.
Even though the laptops are for training, I'm surprised the users using them don't have domain user accounts?
Shared usernames and passwords are bad. You know it. I know it. I've told the department head this. I've told (through my boss) his boss this. I've been told to do things this way anyway.
The bottom line is I've been told to setup (against my recommendations) a single username whose password is the same as the username, and I need to/intend to do just that. I'm just trying to find the technical tools to do that.
You know that the first time someone changes "their" password on one training machine, it will replicate that out to all the other machines?
1 of 1 people found this helpful
I'm quite aware. I've been told to set the passwords to never expire.
Heck, I'm thinking of just asking if I can set the "bypass preboot authentication" option and have it expire in 2097.
why not just do that and add the admins then just as a recovery option? no need to add a sketchy audit-failure user to your domain if you're going to store the key on the hard disk anyway. Your company already gave up safe-harbor protection by not covering the "authentication" clause, so why make life harder than you need?
Yup, already typing up that e-mail as we speak, trying to outline the technical situation in as layman terms as possible.
Thanks for the info/ideas!
you are quite welcome. Good luck! Shame you're not on v7 - then you could look at the reactive-autoboot mode. That would stop people getting access outside your network anyway.