Lenovo ThinkPad T400 (English) Hardware Password Manager Deployment Guide - Page 18

Enrolled users:

All users that are enrolled to access the Hardware Password Manager device are listed on this tab. The

intranet account user name is the name used for LDAP user account login. The hardware account user name

is the name used to save data to the hardware account (a secure area of non-volatile memory that can only

be accessed by the computer’s BIOS). The LDAP path shows the user’s location in the LDAP server tree (for

example, CN=ADMINISTRATOR,CN=USERS,DC=TESTLAB).

Member of:

This tab lists the intranet account groups that the device is a member of. The LDAP path shows the group’s

location in the LDAP server tree.

Remote actions:

The

Remote actions

section lists all previous remote actions that have been applied to this Hardware

Password Manager device. The

Remove user remote actions

section lists users that were enrolled on

the device but whose access has been removed.

Client policy:

The Windows policy list shows the status of operating system related policy settings currently applied on

the device. The BIOS policy list shows the status of BIOS-related policy settings currently applied on the

device. These settings are selected in the Update

Client Policy

dialog; see “Updating hardware passwords

globally” on page 15 for more information.

Managing enrolled users on Hardware Password Manager devices

When a Lenovo Hardware Password Manager device is registered with the Hardware Password Manager

server, the main user of that device is enrolled as an authorized user of that Hardware Password Manager

device. You can enroll additional users on each Hardware Password Manager device, by using the Client

Portal on the device or by including the user in a Hardware Password Manager group that has rights to

that device.

To manage users for Hardware Password Manager devices, use the

HPM Enrolled Users

option in the

ThinkManagement Console toolbox (or click

Tools

➙

ThinkVantage Hardware Password Manager

➙

HPM Enrolled Users

).

Using the HPM Enrolled Users tool, you can

•

Configure the LDAP server connection

•

View a list of Hardware Password Manager users

•

View the properties of a Hardware Password Manager user

•

Revoke a user’s access to a Hardware Password Manager device

Configuring an LDAP server connection

In the Manage Enrolled Users view, users and groups are listed in a tree structure that displays the users

and groups on the LDAP server you use for Hardware Password Manager authentication. To view that tree

structure, you must first configure the LDAP server connection.

The information you enter in this dialog enables the Hardware Password Manager server to connect to the

LDAP server, which can be either a Microsoft Active Directory server or a Novell eDirectory server.

10

Hardware Password Manager Deployment Guide

Section	Page
Preface	7
Chapter 1. Overview	9
Chapter 2. Installing Hardware Password Manager on ThinkManagement Console	11
Prerequisites	11
Preparing the core server	12
ThinkManagement Console with HPM server setup	13
Migrating to a new LDAP server	14
Installing Hardware Password Manager on a Lenovo device	14
Chapter 3. Managing Hardware Password Manager devices with ThinkManagement Console	17
Viewing Hardware Password Manager devices and their properties	17
Managing enrolled users on Hardware Password Manager devices	18
Configuring an LDAP server connection	18
Viewing Hardware Password Manager users and their properties	19
Removing a user’s access to a Hardware Password Manager device	20
Managing Hardware Password Manager groups	20
Managing remote actions and policy settings for Hardware Password Manager devices	21
Updating client policies globally	22
Updating hardware passwords globally	23
Updating the emergency account	24
Changing server policy settings	25
Defining scopes and roles for console users	26
Chapter 4. Hardware Password Manager Client	29
Hardware Password Manager device setup	29
Registering a device with the Hardware Password Manager server and enrolling the first user	29
Enrolling additional users on a Hardware Password Manager device	30
Removing a user from a Hardware Password Manager device	31
Unregistering a device from the Hardware Password Manager server	31
Updating credentials on a Hardware Password Manager device	32
Chapter 5. Deployment	33
Fingerprint integration	33
Safe Guard Easy/Safe Guard Enterprise compatibility	34
One-touch registration	34
Pre-registration	35
User enrollment on a pre-registered system	35
Chapter 6. Scenarios	37
Service scenarios (configuration changes)	37
Scenario 1 - Hardware configuration changes	37
Scenario 2 - CMOS error	37
Scenario 3 - Replace the fingerprint device	38
Scenario 4 - Hardware passwords already set	38
Scenario 5 - Setup under the operating system (remote BIOS settings)	38
Scenario 6 - Replace the system board	39
Scenario 7 - Add a hard disk drive	39
Scenario 8 - Replace or move a hard disk drive	39
Scenario 9 - Change the hard disk location within a system	40
Scenario 10 - Remove a hard disk drive	40
Scenario 11 - Flashing the BIOS	40
Scenario 12 - Registered system can no longer access the Hardware Password Manager server	41
Scenario 13 - Enter the BIOS setup	41
Scenario 14 - Load default settings in the BIOS setup	41
Scenario 15 - Do not protect all hard drives	41
User Scenarios	42
Scenario 1 - Forgot Hardware Account credentials, network connected	42
Scenario 2 - Forgot Hardware Account credentials, NOT network connected	42
Scenario 3 - Forgot the corporate password	42
Scenario 4 - Manual login using different keyboard types	42
Scenario 5 - Handling enrollment from multiple boot partitions	43
Scenario 6 - BitLocker	43
Appendix A. Security and convenience	45
Appendix B. Disaster recovery	47
Appendix C. Hints and tips	51
Appendix D. Notices	57

Lenovo ThinkPad T400 (English) Hardware Password Manager Deployment Guide - Page 18

Managing enrolled users on Hardware Password Manager devices, Configuring an LDAP server connection - additional memory

Page 18 highlights