Understand the process a managed Symantec Encryption (PGP) Desktop Client takes when using Single Sign On and Synced with Active Directory, where the user's name needs to change.


Article ID: 181367


Updated On:


Symantec Products




You need to understand the behavior a managed PGP Desktop client takes when a customer must change a user's logon in Microsoft Active Directory and the client is encrypted using PGP Desktop where Single Sign On is employed.

An AD Administrator needs to change a user's logon within active directory due to a name change.  Your customer needs questions answered on what steps are needed to accomplish this with little user inconvenience.

Once the AD Admin completes the name change, the user will want to log in to their machine with their new credentials.  Unfortunately the user must log in using their old credentials to get past Symantec Encryption Preboot Screen.  Once they log in using the old credentials they are not going to be able to login to Windows because the credentials passed along by preboot are not the current credentials authorized in AD.

There are only two solutions at this time.

1.  You re-enroll the user with the new credentials.  This may cause issues if the user wants to use their current keys.  If that is the case you can use step below.

2.  Use pgpwde.exe to add a new user to the disk, with the new credentials.  This will allow the user to continue using the their current desktop and Encryption settings, however if the user looks in the Encryption GUI they will still see their keys carry the old name.

As far as the Symantec Encryption Managment (PGP Universal) Server is concerned the new information will be updated when the Domain Controller and the Encryption Server sync.

A feature request has been submitted to Product Managment to see if it is possible to automate the process of adding the new or corrected credentials to the disk so the Single Sign On succeeds the first time a user logs in with their new credentials.