8 Replies Latest reply on Sep 9, 2016 3:11 AM by jmcleish

    Moving assigned encrypted users to a different OU in same AD - can they still logon?


      Currently running McAfee Drive Encryption 7.1.1 and ePO v5.3.1 (and also an older version 4.6.9- which we still have some encrypted users on that I’ve not had a chance to migrate off yet)


      I need to confirm that if we move our encrypted users in AD, they will still be able to logon to their encrypted machines. (Have already raised a call and the support guys said different from my reseller support and my (limited) testing)


      We have users, admins (ePO admins) and support staff:

      machines are moved into a specific group in ePO.

      We manually assign users to each individual machine. (Encryption Users, select PC, add users, add Drive Encryption Users - Users)

      The admins are assigned individually at the group level (Encryption Users, select group in system tree, select group users, add users)

      The support staff are added via a group at the encryption users Group Users level (Encryption users, select group in system tree, select group users, add users, from the groups:)

      I also have one machine (pool) that has users assigned via a group ((Encryption Users, select PC, add users, add Drive Encryption Users, from the groups:)



      When you assign a user it shows the distinguished name in the encrypted users section. LDAP attributes used are samaccountname for both User Name and Display Name.


      Now we are going to move all our user accounts (not groups) which are scattered in various different OUs  in our AD structure to under one OU (This is gong to happen, so i have no option but to find out the impact this will have on encrypted users assignment).


      Can someone please confirm definitively if, after all users are moved from their current OU in Active Directory, will


      1. individually assigned users still be able to logon

      2. group assigned users still be able to logon

      3. Users in a group, will still be able to logon


      (Also, i know 4.6.9 is no longer supported, but if there's any info related to this version would appreciate- so i know i have to move them first)


      What (if any) impact does the timing of the LDAP sync task have?

      I was told by McAfee support that moving the users to a different OU would change the user hashID and they wouldn't be able to logon. My reseller said manually assigned users would be able to logon, but not ones assigned in groups . my limited testing shows that manually assigned users could logon well- the last phone call from support was a "we think" that they won't be able to logon!! So not entirely convincing! Not had a chance to test the other scenarios yet.


      Previously I remember using either EE 6.1.2 or 6.2.1 and ePO v 4.6 (or 4.5) and when the account was moved in AD, the user was unable to logon to their encrypted machine and they had to be re-added as an encrypted user (with their new distinguished name path to the new OU) Not sure if this was a definite issue with either ePO or EE v 6.


      So if anyone has any information from previous experiences or can give me a definitive answer that would be much appreciated.


      Many thanks