Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Adding users to laptops via PGP Server

Created: 16 Jan 2013 • Updated: 18 Jan 2013 | 11 comments
This issue has been solved. See solution.

I have a user that I need to add to over 200 laptops...

Without "touching" each laptop is it possible to "push" a User and the user's password to a laptop via the PGP server???

 

 

 

Comments 11 CommentsJump to latest comment

Alex_CST's picture

Yes, you can do a silent SSO enrolling

 

http://www.symantec.com/business/support/index?pag...

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

DannyPG's picture

When I click on the URL I get the following:

'The URL you've tried isn't returning content. There are two possibilities:
 

 

 

DannyPG's picture

When I click on the URL I get the following:

Page Not Found

The page you requested was not found. You may have used an outdated link or may have typed the address (URL) incorrectly.
 

Tom Mc's picture

Try http://www.symantec.com/docs/HOWTO77014

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

DannyPG's picture

That's not what I need... This URL entails a user physically logging into the machine... In fact, this user is not allowed to log into Windows...

This is a "backdoor" account for our Help Desk, this user is denied logging into Windows via a Group Policy... This user will only be used to get a User past the PGP bootguard screen and to a Windows Logon screen... And NO, we cannot give the Help Desk the WDE Administrator passphrase...

I already have this account on 25% of the laptops, but I need it added to the other 75%... And manually touching each laptop to add the account is unacceptable ( as well as undoable )...

So I was hoping I could add the User to the remaining laptops via the PGP Server console...

Clear as mud !

 

 

 

Alex_CST's picture

You can't push a password to a laptop definately.  But from a security standpoint, if this is a single user and a single password that can unlock the drive of over 200 laptops, that sort of makes the disk being encrypted pointless and if you have to do this for any sort of regulatory compliance it won't cut the mustard.

 

This sounds to me like the reason the recovery tokens were put into PGP, for single use help desk scenarios to bypass a forgotten password or something along those lines, won't that do the job?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

DannyPG's picture

Actually, our Security Analyst is the one that recommeded us putting a "backdoor" on the laptops...

As for the Help Desk using the recovery tokens... Have you ever tried giving an IRATE doctor a 28 character key to type in at 1 o'clock in the morning !!!!

All of our laptops are for Doctors and they will NOT tolerate having to type in a 28 character key...

My response is: Don't forget your password dumbass! ...  But, unfortunately, we can't tell them that...

Therefore, the "backdoor" passphrase...

Any other idea as to how I can accomplish this feat ???

 

 

 

vaibhav_jain1's picture

You can do this by pushing a batch script, but you will also have to specify your admin passphrase to add a user.

pgpwde --disk 0 --add-user -u <backdoor user> -p <password> -a <admin passphrase>

SOLUTION
Alex_CST's picture

Horses for courses I guess, - you could have also done the security questions but if that was also unacceptable you could add them via cmd line

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

DannyPG's picture

Pushing a batch script... That's not a bad idea!

If I use a batch script, wouldn't I need to use something like PSEXEC, since the script would be adding a user to a remote machine?

 

DannyPG's picture

Thanx for everyone's help... Got it working on remote laptops using a batch script + PSEXEC...