Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Silent enrollment and AD passwords

Created: 18 Dec 2012 • Updated: 18 Dec 2012 | 2 comments

Good Day,

            We are currently running the Universal server version 3.2.1 (Build 4869). I do have the Silent enrollment for PGP desktop clients enabled and everything works fine with it. The users get the PGP desktop client installed; they reboot the computer and sign in. Once they sign into AD they are presented with the PGP enrollment screen where they type in their windows user name and AD password. Once this is done a Guarded Key pair (GKM) is created.

            My concern now is that we have a password policy in place where the users need to change their AD passwords every 60days. My question is, if we are using the GKM managed keys, will the new AD passwords be automatically synchronized with the clients local key pair and the copy on the Universal server as well?  If not, is there a way to configure this so that minimal manual key management is required by the user? Our goal is to have the passwords with AD and PGP synchronized at all times so that people don’t have to manage multiple passwords. Can someone give me details about this?

            I also recently read that you can place a MSI switch for the client installs “msiexec /i C:\pgpdesktop.msi PGP_INSTALL_DISABLESSOENROLL=0” This allows for a totally silent install, meaning the users will not even receive the PGP enrolment screen I’m assuming. Is the key pair created based of the AD logon data then? Anyone have more details regarding this switch?

Thanks

Comments 2 CommentsJump to latest comment

Alex_CST's picture

That is correct, there will be no enrollment, and (if you have AD sync correctly configured) will sync with AD.  The time in which AD is checked is configured on the Universal Server through LDAP Cache timeout, which by default is 10 minutes

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

3L3M3NT's picture

Thank you for responding Alex. So this AD checking that happens every 10 minutes will automatically synchronize the key passphrase if the users change their AD passwords?  I just changed my AD password waited over ten minutes, did a policy update and synchronized the keys. The key still has my old password on it. I even rebooted and still no luck. I know LDAP is configured correctly since I’m not having issues with enrollments. Am I missing something with the configuration still? Or Do users just need to manage their own key passwords?