Monday, August 18, 2008

Pointsec for PC: Update Profile & Windows Integrated Logon

One question that I get a lot is what to do when Pointsec disables Windows Integrated Login because of excessive logon failures. My answer is that you should walk the user through the Remote Help process and get them back to work.

You've just gone through a lot of trouble to walk your user through the Remote Help process. Now here is the bad news. If they power down their computer, they will have to do it all over again. That's right, a successful login through Remote Help does not turn Windows Integrated Logon back on. That is your job.

The simplest way to do it is to log into the Management Console, open the local settings and re-enable WIL. However, your user might not be onsite. If that is the case then you're going to have to use an update profile to turn WIL back on for the user. Of course, normally your users would have to be on your network to get the update, but there is a way to work around that. Let's start by creating the update profile.

Open up the Pointsec Management Console and go to Remote. Expand your set (if you haven't made one then you should probably do that first) and click on Profiles. Let's create a new update profile.

In this example, I'm going to create a profile called turn on WIL. I want to base the profile on my existing settings, so I'm going to make sure that I've clicked that checkbox when I get the option. On the next screen I'm going to tell Pointsec to base the update profile on my local settings. I also want to clear the checkbox for Groups and User Accounts. Since I don't want to make any changes to those settings, I want to make sure that nothing is accidentally included in my update profile that might mess with the accounts on my machines.

When I finish the wizard, Pointsec brings up the profile settings. Now here is where things get really easy. Since my computer already has WIL turned on, I don't want to make any changes to the settings at all. I'm going to leave everything as it is and click OK. I will ignore the warning about Windows Integrated Logon being turned on (because that's what we're trying to do) and the warning about accounts not having enough authority. The authority error comes up because our update profile doesn't have any account information in it. I'm not going to publish the profile that I just created because it needs to be tested, and this isn't something that I'm going to push out to every computer anyway.

Now to test the update profile. I'm a big believer in testing things before you push them out to your users. I'm going to back into my management console and turn off Windows Integrated Login. Once that is done, I'll reboot my computer, and as expected Pointsec is asking me to log in at the Pre-Boot Environment.

After logging into Windows, I open up the Pointsec work folder. On my XP machine that is located in c:\program files\pointsec\pointsec for pc\work. I also need to open up the share on the network that is holding my update profile. Since I didn't publish the profile, it is located in the Profile Storage folder on my network share. Now I'm simply going to copy the update profile from the network and paste it into my work folder. After about 5 or 10 seconds, the profile will disappear. Reboot again and Windows Integrated Logon is enabled once again. Problem solved.

So if this user were on your network, you would put a copy of the update profile into the update folder for that users computer. Remember, when computers check for updates, they also look for a folder with the same name as the computer name in the update folder. This is how you make updates to a single computer. But we're talking about a user that isn't on the network. In this case you can email the update profile to the user or have them download it from your website. Then walk the user through the process of copying the update folder into their work folder.

No comments: