Some of our users have laptops with full disk encryption and only use these laptops once every few months when they have a need to work remotely. They use their desktops when in the office. Even though they are not frequently used, they need to have these laptops available to them at home for unplanned after hours use.
The PBA is currenlty set to sync with their AD account password. We have ongoing problems with users turning on their laptops while out of the office after a non-use period of many weeks. Since the laptop has been powered off for weeks or months, the PBA password is still synced with an AD password that may have been used two or three password changes ago and they cannot remember what that old password was and therefore cannot get past PBA to log into Windows and connect to VPN so that the PBA password can sync with their current AD password.
They can try self recovery or calling in to the help desk get a remote password reset, but this is a big hassle. We are considering changing the PBA password policy to something that will work better for these types of users. Instead of syncing with the Windows password, we are considering changing the policy to be a static password that can be easier for the users to remember (such as a short numeric code), but with only a few tries allowed before it locks out.
As long as the users are not allowed to use easily guessable numbers such as 1234, 4321 or 0000, I assume there should be no way for the even a simple 4 digit code password (such as 7493 or 2876 to be cracked by brute forcing if the account is locked after only a few tries and therefore, there is no real need for the PBA password to be very complex. Correct?
The laptops do not have fingerprint readers. They have built-in smartcard readers, but we don't have any plans to implement smart cards because it is very likely some of the users would either carelessly leave the cards in the laptops or store them in the bag with the laptop, which would defeat the purpose of having smart cards if the laptops are lost or stolen.
Any suggestions for these types of users?
on 1/26/14 4:00:40 PM CST
on 1/26/14 4:02:11 PM CST