This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with POA account

Good afternoon all,

I have a question regarding Service account:

- I've created a account which is Security Officer and part of POA

- I've installed all software on a laptop, restart it, connected with this account from POA screen and the acount is guest (which is fine)

- I restart the laptop, connect again with same account but the account become owner of the latop.

    As this account is POA member and security officer, it should always stay guest non?

Thanks,

Eric



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hello Eric,

    If the user has been configured as a Service Account user then that user will always show as a service account when logging in to Windows.
    The fact it's come up as SGN guest user would mean it's probably not configured correctly.

    It's also worth noting that once a regular (non-service account user) has logged onto the machine for the first time all service accounts are destroyed for that machine to make sure there are no backdoors into the system.

    When you logon through the POA are you using your company domain in the POA Dropdown? If you use the <POA> domain instead of your company one you often won't be added to the machines list of users (UMA).

    If it helps, the following user types available in SafeGuard Enterprise are listed below:

    • Owner: The first user to log on to an endpoint after the installation of SafeGuard Enterprise is not just entered as an SGN user, but also as the owner of that endpoint. Provided that the default settings have not been changed, an owner has the right to enable other users to log on to the endpoint and become SGN users.

    • SGN user: A "full" SGN user is allowed to log on at the SafeGuard Power-on Authentication, is added to the UMA (User Machine Assignment) and is provided with a user certificate and a key ring for accessing encrypted data.

    • SGN Windows user: A SGN Windows user is not added to the SafeGuard POA, but has a key ring for accessing encrypted files, just as a SGN user. He is also added to the UMA, which means that he is allowed to log on to Windows on that endpoint.

    • SGN guest user: A SGN guest user is not added to the UMA, is not provided with rights to log on to the SafeGuard POA, is not assigned a certificate or a key ring and is not saved to the database.

    • Service account: With service accounts, users (for example rollout operators, members of the IT team) can log on to endpoints after the installation of SafeGuard Enterprise without activating the SafeGuard POA and without being added as SGN users (owners) to the endpoints. Users included on a service account list are treated as SGN guest users after their Windows logon at the endpoint.

    • POA user: After activation of the POA it might still be necessary to perform administrative tasks. POA users are predefined local accounts that are allowed to pass the POA.There is no automatic logon to Windows.The users logging on with POA user accounts log on to Windows with their existing Windows accounts. The accounts are defined in the Users and Computers area of the SafeGuard Management Center (user ID and password) and assigned to the endpoint in POA groups. For further information, see POA users for SafeGuard POA logon
  • Hi Tobby,

     

    Thanks for coming back to me and also for the details about user types, that’s clearer now.

    Sorry to come back late, I’ve made some testing.

     

    When I logon through the POA I use our company domain.

     

    It seems that there is a configuration issue so. Here is the situation:

     

    - I have 1 user (adm1) which is in Service account list. That user is a service account in our Active directory

    - And 1 user in POA group (adm2) which is also a service account in our Active Directory

     

    Whatever the account I use (adm1 or adm2) when I connect first time on the laptop after software installation, they become owner of the laptop.

     

    If I understood well, adm1 shouldn’t activate POA and become owner of the laptop and adm2 should allow to connect on POA screen then use another account to connect to Windows, right?

     

    What could I check?

     

    Best Regards,

     

    Eric