探花大神

Contact Us
Help Center Home > User Management > Take Over an Existing User Account with 探花大神

Take Over an Existing User Account with 探花大神

To bind a user to a device, the 探花大神 agent either provisions a new local user account to the device or takes over an existing local user account. Taking over an existing account allows 探花大神 to manage that account, rather than create another account on the device. 

If you want to provision a new local user account, see Connect New Users to Resources

Prerequisites:

  • To take over an existing user account on a device, the 探花大神 agent needs to be installed and the device needs to be active. See Get Started: Devices for more information. 
  • The user must be connected to the device in the Admin Portal. For more information, see Connect New Users to Resources.
  • You need the local usernames of the accounts you want 探花大神 to take over so you can ensure the 探花大神 Username or Local User Account field in the User Details tab matches the local username on the device. If the Username or Local User Account fields don't match the name of the local account, you end up creating an additional profile on the device with the Local User Account as the username. If you need help finding the names of local accounts, see Find Names of Local Accounts on Devices.
    • Additionally, the聽Local User Account聽field must be unique in the directory for successful account takeover. For example, if there are two "John" users on two separate devices, one of those users must be renamed.

Tip:

We recommend users to decrypt any EFS files before performing user account takeover.

Considerations:

  • The 探花大神 username is what your end users use to log in to devices and other resources you connect to 探花大神. Your end users won鈥檛 see the Local User Account name. When an end user logs in to their device, they see their 探花大神 Display Name (first and last name). 
  • Learn about 探花大神 username requirements and considerations in Naming Conventions for Users.
  • 探花大神 usernames must be unique across your organization and can鈥檛 match existing Local User Accounts.
  • The 探花大神 username and Local User Account fields can only be edited before you bind a user to a device. Once bound, you have to unbind a user to edit the 探花大神 username again. See Unbind Users from a Resource
  • Local user accounts aren鈥檛 case sensitive.
  • To complete the takeover process, users need to be bound to the device.
  • As this process is writing the user鈥檚 password through Mac Keychain and the Windows Data Protection APIs, users will be logged out of all resources after account takeover. This is expected behavior. Some examples of these resources include 1Password, Dropbox, Google Drive, Slack, Microsoft Office, Google Workspace, Microsoft Teams, Chrome, Firefox, Edge browsers, etc.

Important:
  • For Windows devices, local user and 探花大神 passwords should be exactly the same prior to binding a user to a device. Differences in passwords will cause a loss in any saved passwords stored in the Windows Credential Manager.

Take Over an Existing Account with the 探花大神 Username Field

If your user鈥檚 local account on the device matches their 探花大神 username exactly, for example, if it is the user鈥檚 company email, then you can take over the existing account and the user will keep their username and use their 探花大神 password to log in. 

To take over an existing user account with the 探花大神 Username field

  1. Log in to the .
  2. Go to USER MANAGEMENT > Users.
  3. Select an existing user or create a new user. See Get Started: Users for more information.
  4. On the Details tab in Users, enter a name for Username. Make sure it matches the name of the local account you want to take over. See Prerequisites
  5. (Optional) To bind the user to a device, go to the Devices tab, then select the device you want the user account to take over. 
  6. Click save user

Take Over an Existing Account with the Local User Account Field

If your org鈥檚 local account naming convention isn鈥檛 ideal for an employee鈥檚 username, you can use the Local User Account field to take over their account. Then you can use the 探花大神 Username field to give the employee a friendly username they can use to log in to all of their other 探花大神-protected resources such as LDAP and RADIUS. 

To use Local User Account to take over an account:

  1. Log in to the .
  2. Go to USER MANAGEMENT > Users.
  3. Select an existing user or create a new user. See Get Started: Users.
  4. On the User panel鈥檚 Details tab, click + Local User Account.
  5. After you read how you can use Local User Account to take over a device, click okay, got it
  6. Enter a name for Local User Account. Make sure it matches the name of the local account you want to take over. See Prerequisites
  7. (Optional) To bind the user to a device, go to the User panel鈥檚 Devices tab, then select the device you want the user account to take over. 
  8. Click save user

If taking over an existing user account fails, double check that you鈥檝e met the prerequisites. If you still have issues, see Agent Doesn鈥檛 Start or Synchronize Changes for additional troubleshooting steps.
 

MacOS Account Takeover Considerations

For account takeover to update the "local items," Keychain, and FileVault correctly on macOS devices, users need to log out, then log back in to their device after their 探花大神 identity has been bound to their endpoint.

As this process writes the user鈥檚 password through Mac Keychain and the Windows Data Protection APIs, users will be logged out of all resources after account takeover. This is expected behavior. Some examples of these resources include 1Password, Dropbox, Google Drive, Slack, Microsoft Office, Google Workspace, Microsoft Teams, Chrome, Firefox, Edge browsers, etc.

For the KeyChain and FileVault to be updated correctly when an account is taken over by 探花大神, users must log out and log back in to their device after they are connected to the device in 探花大神. When users log back in to their device, they will be asked for their previous password and their current password.

After the user enters their previous and current passwords, they will be logged in to their device. A successful account takeover is indicated by the appearance of the 探花大神 Menu Bar app in the top right of the Mac computer screen.  

Best Practices for Devices with a Single Local User Account

We no longer recommend binding a secondary account to a macOS device as a best practice. Previously, 探花大神 recommended binding a secondary account to macOS devices as a preventative measure against complete lockouts in the event that a single, local 探花大神-managed user was deleted from the device. However, 探花大神 has made improvements to user deletion and suspension on macOS, such that the last remaining Secure Token user on the device cannot be deleted or suspended.

In cases where a device has its only local account taken over by 探花大神, and admins subsequently need to remove the user's access to the device, our recommendation is to leverage the lock device security command. This method requires that the device be enrolled in 探花大神 MDM. The admin must record the PIN used to lock the device in order to access the device later. See Lock a macOS device.

Back to Top

List IconIn this Article

Notebook IconLearn More

Get Started: Devices

Get Started: Users

Bind Users to Devices

Troubleshoot: 探花大神 Agent

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case