I have the dubious task of managing 100+ telecommuting employees' company laptops (Windows XP). Generally, it's not very difficult to do so. One process in particular though, always forces me to reevaluate how we manage those systems: Windows domain password resets.
We use full disk encryption (FDE) for our laptops that forces the user to log in at boot. The software has hooks into the Windows GINA so that it can create, effectively, a single sign-on experience. When users are required to reset their Windows domain passwords, the FDE software syncs with the reset and all is well. Unfortunately, we've had a few scenarios where users reset their Windows domain password and forgot what it was the next day, so they call the Support Desk for assistance. We can remotely unlock/reset the FDE password, but FDE decouples from the Windows GINA, forcing the user to log in to Windows at least once (where before, the FDE handled this). However, the user can't remember Windows password. And if they can't log in, they can't connect securely via VPN so that we can assist remotely. Very chicken-before-the-egg. We've thought up some potentially valid solutions to this including creating a restricted access "recovery" domain account that is included in the laptop image (as a user profile) for this type of purpose but I have this nagging feeling there may be a better way. If you've experienced a similar scenario and were able to implement a manageable solution, please share. Ryan Frantz Technical Services Director InforMed, LLC 410-972-2025 x2131 [email protected]
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
