6 Replies Latest reply on Aug 19, 2015 5:04 PM by zaphod

    How to change Windows credentials assocated with a McAfee user account?

    zaphod

      We are upgrading a group of machines that still have the very old McAfee Encryption, I think version 5 (whatever the first version was with McAfee branding after they bought SafeBoot), to version 7.1.1.

       

      We were able to do this on the old version, no problem, but have yet to find a way to accomplish this on the new version.  It's a critical function we must have.

       

      So here's the basic scenario:

      • We have the single sign-on enabled, but have the "must match" policy disabled so the McAfee account does not have to match the Windows account login ID.
      • A new McAfee user account gets assigned to a specific PC.
      • On their first login, the user logs into their Windows account.  That Windows account is now of course associated with the specified Windows account and single sign-on works as intended.
      • BUT, now, sometime later, we have a need to change the Windows account being used to log into Windows on the computer, but want to keep the same McAfee account ID.  So we need to somehow tell McAfee to stop auto-logging in as the original Windows account, and to now use this other Windows account instead.

       

      Note, I'm not just changing the password on the Windows account, I need to also be able to change the associated Windows user ID.

       

      In the old version, we used that old command line SBADMCL.exe tool using the /setWindowsCredLocal command.  Worked like a charm

       

      I can find no way to do this on this version 7.1.1.

       

      I definitely can find no direct way to do it like we could with the old version, to just directly change the Windows credentials.

       

      I also tried things like purposely locking out the old Windows account by too many incorrect passwords, or even totally disabling the old Windows account.  This forces McAfee Encryption to fail the auto-login and prompt for Windows credentials.  I thought maybe here by putting in the new credentials, it would replace the old credentials, but McAfee Encryption just still wants to always auto-login using the original/old Windows credentials.

       

      Thank you!

        • 1. Re: How to change Windows credentials assocated with a McAfee user account?
          jhall2

          The option "Must Match Windows Username" on the Log On tab of the Product Settings policy.

           

          We do not recommend disabling this option but you will need to in order to perform the action that you describe. By disabling it, any password change that occurs on the system will be captured and the PBA users password and SSO info updated. This includes pushing a GPO update of a local system account. It is recommended that if you need two different accounts to be utilized at PBA and Windows, SSO be disabled.

          • 2. Re: How to change Windows credentials assocated with a McAfee user account?
            zaphod

            Thanks for the response, but I think you slightly misunderstand what I'm trying to do.

             

            I don't want it to work with TWO Windows accounts simultaneously (this seems to be what you're describing by saying "if you need two different accounts to be utilized at PBA and Windows").

             

            I just need to be able to change the Windows account that the McAfee account auto-logs-in to Windows with, permanently.

             

            I.e., after the change, the OLD Windows account will no longer be used at all, and the new Windows account will be used permanently going forward.

             

            So it's not like we're switching back and forth between multiple Windows accounts on the same PC.  We just need to make a one-time change from one Windows account to another Windows account.

            • 3. Re: How to change Windows credentials assocated with a McAfee user account?
              jhall2

              If the usernames of the PBA and Windows account do not match, you cannot utilize "Must Match Username". If you are using the same username and just need to refresh the SSO information, from the ePO server, go to the DE: Users query, select the user, click Actions | Drive Encryption | Clear SSO Details. The machine will need to perform a ASCI and the Policy Enforcement must complete on the MDE Status Monitor prior to rebooting. This generally takes about 20 minutes if you don't help it along by clicking send events.

               

              The issue I mentioned above is if the username of the PBA user does not match the username of the user in Windows you wish to SSO into, you cannot utilize the Must Match Username option. This option prevents capturing of any other Windows user account password changes if the username does not match that of the PBA user.

               

              If this option is not selected and SSO is enabled, any password change regardless of the user account will then be captured and update the PBA users password and SSO details. If you disable Must Match Username, if using PBA user apple and Windows user banana, if Windows User grape logs on to the system and changes their password, PBA user apple will capture the password change, update the PBA user password and update the SSO details to log into the grape user account.

              • 4. Re: How to change Windows credentials assocated with a McAfee user account?
                zaphod

                jhall2 wrote:

                 

                If the usernames of the PBA and Windows account do not match, you cannot utilize "Must Match Username". (snip...)

                 

                The issue I mentioned above is if the username of the PBA user does not match the username of the user in Windows you wish to SSO into, you cannot utilize the Must Match Username option. This option prevents capturing of any other Windows user account password changes if the username does not match that of the PBA user.

                Yep, we understand that.  We do have "Must Match Username" DISabeled.  That is what we want (the Windows username might not match the PBA username).

                 

                jhall2 wrote:

                 

                If you are using the same username and just need to refresh the SSO information, from the ePO server, go to the DE: Users query, select the user, click Actions | Drive Encryption | Clear SSO Details. The machine will need to perform a ASCI and the Policy Enforcement must complete on the MDE Status Monitor prior to rebooting. This generally takes about 20 minutes if you don't help it along by clicking send events.

                Is this "Clear SSO Details" option available via the ePO console even if the PBA and Windows usernames do not match, with "Must Match Username" policy disabled?  Or is it only available if the usernames do match (i.e., if that policy is enabled)?  I don't see this "Clear SSO Details" option in my console.  However, I'm also not a full system admin in our ePO console, so it may be a permissions issue.  I will check with our actual systems admins and see if they can verify my permissions to see if I should be allowed to see the Clear SSO Details option.  I just want to verify that, assuming I get that option to show up for me, it will still work if the usernames don't match.

                 

                jhall2 wrote:

                 

                If this option is not selected and SSO is enabled, any password change regardless of the user account will then be captured and update the PBA users password and SSO details. If you disable Must Match Username, if using PBA user apple and Windows user banana, if Windows User grape logs on to the system and changes their password, PBA user apple will capture the password change, update the PBA user password and update the SSO details to log into the grape user account.

                It sounds like you're saying that the system SHOULD do exactly what I'm hoping it would do.  If that's correct, I guess what I'm saying is, it's not working for us.

                 

                So here is my specific test that I've done, using your example user names.  Tell me if this SHOULD work as I describe.

                 

                1. I initially set the PC up so I have PBA user apple set up with SSO info for Windows user banana.  This auto-login works just fine.
                2. I now need to change this PC, still using PBA user apple sign-on, to use Windows user grape.
                3. I purposely lock out the password for Windows user banana by locking the screen saver and typing the password in wrong until it locks out the account.
                4. I reboot the PC.
                5. I log into PBA as user apple.
                6. McAfee fails the Windows login of attempting to log on to Windows as Windows user banana because of the locked out password.
                7. I'm presented with the Windows login dialog.
                8. I log in as Windows user grape.
                9. Windows finishes booting up and successfully logging in to Windows as user grape.
                10. I reboot the PC again.
                11. I log in as PBA user apple.
                12. At this point, I expect McAfee Encryption to auto-login to Windows as Windows user grape.

                 

                Is that what SHOULD happen?

                 

                However, what I see in that very last step is that McAfee Encryption still tries to auto-login as the original Windows user banana, but of course still fails because of the locked out password.

                 

                I've also done the above test a slightly different way, in that instead of locking out the original banana windows account password in step 3, I totally disable the banana account by logging off Windows (not rebooting, just log out), logging in with another admin Windows account, then locking out the banana account.  Then the rest of the scenario is the same from step 4 on.  McAfee still tries to auto-login to Windows with the disabled banana account.

                 

                So if I interpret your previous reply correctly as meaning my test SHOULD work, then I guess something is wrong in our environment and it's not working.

                 

                Or did I misinterpret your previous reply?

                 

                Or am I missing something in my test scenario above?

                 

                Thank you again!

                • 5. Re: How to change Windows credentials assocated with a McAfee user account?

                  I think I understand what you are asking.

                   

                  you start with Windows user Grape and EEPC user Grape linked together, then you want to link Windows user Grape to EEPC user Banana.

                   

                  you used to just use the API to make the switch.

                   

                  To be honest, I don't think it's possible to switch the linked user account in EEPC7 - yes, you can get EEPC to pick up a password from any login, but I don't believe there's an api, or even a GUI option to manually set a users SSO username.

                  • 6. Re: How to change Windows credentials assocated with a McAfee user account?
                    zaphod

                    You've got it close, but kind of the other way around.

                     

                    Start with Windows user Grape linked with EEPC user Grape, but then I want to link Windows user Banana but keeping EEPC user Grape.  (I.e, we're changing the Windows user, not the EEPC user).

                     

                    We don't really need a way to set the SSO user name through an API.  We just need a way for EEPC to prompt us for a new sign-in within Windows, and then associate that sign-in with the EEPC account.

                     

                    And actually, I figured it out.  My process described in my previous post actually DOES work.  I figured out that we had something unique in our image that was interfering with EEPC capturing the sign-on info.  Once I removed that from my test PC, EEPC worked as I expected as described in my previous post.

                     

                    So ultimately, it had nothing at all to do with McAfee Encryption itself.  It was an outside factor interfering with what EEPC was trying to do.

                     

                    However, what I could NOT get to work was the "Clear SSO Details" through the console.  I was able to get my main ePO system admin to give me access to that function in the console, and I was able to get there and go through the process.  But it never took effect on the client PC even after letting it sit and sync with the server for a full day, and several manual syncs using the buttons in the McAfee agent.  It'd be nice if this worked, but we figured out a way to make things work even without it.

                     

                    Thanks for both your help!