Environment
Client for Open Enterprise Server 2 SP4 (IR5)
Identity Manager
ZENworks Dynamic Local User
Situation
Local Windows accounts are created and managed by ZCM 11.4 DLU Policies, and are therefore not joined to an AD Domain.
After changing the user passwords in the IDM self service portal, (not using the "Forgot Your Password" link on the client), users cannot unlock their workstation using their new eDirectory password. They are still required to enter their old Windows password (their prior eDir password).
Resolution
When ZENworks DLU is used, the user gets created with the same username and password as the eDirectory user. Then, when IDM changes the eDirectory password, the "new" eDirectory password now doesn't agree with the DLU-created user password (which is the "old" eDirectory password now). Events when unlocking the workstation after changing the password are:
- Client for OES accepts eDirectory user and the new eDirectory password for unlock, and successfully verifies this new password against eDirectory to confirm it's the current (newly updated) password.
- Client for OES then tries to use the password to de-crypt a previously-encrypted copy of the Windows account password, because in order to unlock a Windows 7 and later workstation, Microsoft strictly requires the Windows account password.
- Since decryption of the previously-stored Windows account password fails (becuase the new eDirectory password the user provided is not the password that was used to encrypt this data), Client for OES must fall back to prompting the user for their Windows credentials.
After the workstation is rebooted, and the user logs in again, the unlock process will work as expected, since the DLU-created user and the eDirectory user will have the same password.