Active Directory Password Sync

brizkallah
New Contributor II

so after applying the Policy for enabling the FV2, all works fine but the user password isn't synced with the AD, in another word, when the user restarts the machine he still have to 

1- login to decrypt the disk

2- sign in again with the AD user name and password.

can someone offer a solution to have the password registered?

1 ACCEPTED SOLUTION

jcarr
Valued Contributor

You may want to look into the rationale for binding to AD.  Migrating 1:1 devices to local user accounts (created during setup assistant with authenticated enrollment) with the Kerberos SSO is probably a better solution, and will likely give you everything you are looking for (user accounts that match the directory, password sync & SSO for kerberized services).  Binding to Active Directory has not been a recommended deployment solution for a number of years now.

View solution in original post

3 REPLIES 3

jcarr
Valued Contributor

This post is a little light on detail, so I'm going to make some assumptions...

 

1. I assume in step one above you mean "authenticate to decrypt the disk" (i.e. during the boot process) and not login?  If the user is actually "logging in" the disk is decrypted and the device is ready to go.

 

2. Your devices are bound to AD.  Is this why your users need to authenticate using a local account, and then log into their mobile AD account?

 

Is there a reason why your users are not logging into a local account and syncing the password to AD using the Kerberos SSO extension? You can even force the user's local account long and short name to match the directory using authenticated enrollment and enrollment customization.

 

Just a thought.

brizkallah
New Contributor II

well, let me break it down in other words.

1- the devices/laptops are connected to the AD.

2- users always use there AD credentials to login.

3- yes you are right for the point1 in your answer, the user now login twice, first login is to decrypt the disk and the second one is to login to the device itself.

4- so the problem is what if the user forgets his AD password and i did a reset on the AD, he will not be able to decrypt the disk in order to login. 

so my question is that if i can just bypass the 1st login requested to decrypt the disk or i should be switching to a different method of enabling the FV2.

jcarr
Valued Contributor

You may want to look into the rationale for binding to AD.  Migrating 1:1 devices to local user accounts (created during setup assistant with authenticated enrollment) with the Kerberos SSO is probably a better solution, and will likely give you everything you are looking for (user accounts that match the directory, password sync & SSO for kerberized services).  Binding to Active Directory has not been a recommended deployment solution for a number of years now.