User synchronization
The option Synchronize Active Directory users to pre-boot authentication is not enabled by default because AD users are automatically entered into the PBA database when they log on to the PBA.
Use this option only if you want to preconfigure the PBA by manually adding users from AD to the PBA user database before they log on.
In this case, add the appropriate AD groups and users that you want to synchronize to the PBA database.
Please note that the members of the "Domain Users" group will not be synchronized. This group employs a mechanism based on the user's "primary group ID" to determine membership, and does not typically store members as multi-value linked attributes.
As an initial password, you can assign a fixed password (identical for all users), the user name, or any available AD property value.
Notes on Disk Protection:
DriveLock distinguishes four types of pre-boot users in Disk Protection:
| Added via | Description |
| DlFdeUser | User was created locally with DlFdeUser.exe |
| Policy | User was created via policy - and will be synchronized/removed with policy changes. |
| Windows login | User was created by Windows login - password is synchronized on each successful Windows login. |
| Active Directory | User was synchronized from AD groups - and will be deleted if removed from AD group or user synchronization. The password is synchronized locally each time Windows logs in successfully. |
-
The
DlFdeUser.execommand can also delete other user types. These will be added back the next time you log in to Windows or load the policy. -
The first time Windows users log on to a client computer that is protected with DriveLock Disk Protection and Pre-Boot Authentication (PBA), their Windows credentials are not yet synchronized in the PBA database. They need to log on to the PBA with either a preconfigured user added via DlFde or the policy, or another authorized user logs on to the PBA to display the Windows logon dialog.
-
Users added via AD are synchronized each time the policy is uploaded. When you add or remove users from the configured AD groups, they will also be added or removed from the PBA database during the next synchronization on all affected computers.