Re: Remote User Needs to Change PWD without connecting to domain

From: Craig S (none@none.com)
Date: 05/09/02 

From: "Craig S" <none@none.com>
Date: Thu, 09 May 2002 13:56:29 GMT

I spent forever setting up our VPN, and I'm pretty sure it's good to go now
with a couple exceptions. It's locked down pretty well but there are a few
quarky problems I'm addressing with browsing/name resolution.

Anyway, I'm just really curious what happens when her password expires and
she still can't contact the domain. I'm hoping you're right and it's not
enforced. I don't see how it can be enforced if she has no connectivity to
the network, it would be insane to enforce it if you ask me. I found the
article about cached information, and you're exactly right. The article is
here:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172931

I didn't get the VPN setup in time, so her password should have expired by
now :( I'll let everyone know what the outcome was!

"Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
news:em40myv9BHA.1368@tkmsftngp04...
> I think you are misinterpreting the "10 logon" settings. See the quote
below from the
> gpedit Help for "Number of previous logons to cache..." (Computer
Configuration, Windows
> Settings, Security Settings, Local Policy, Security Options).
>
> "Logon information for domain accounts can be cached locally so that, in
the event a
> domain controller cannot be contacted on subsequent logons, a user can
still log on. This
> setting determines the number of unique users for which logon information
is cached
> locally."
>
> The number (which defaults to 10) is the number of user account
credentials that are
> cached, not the number of times that a single user can logon with cached
credentials. You
> can test this yourself by setting this number to a low value (e.g. 1),
then logging on
> without a network connection a few times.
>
> Has the password actually "expired" and does the user actually have a
problem? The reason
> for asking is that I seem to recall that the password expiration policy is
not "enforced"
> when cached credentials are used to logon locally. The next time the
computer can
> communicate with the Domain, the user will be prompted to change their
password.
>
> A possible solution to your dilema is to allow the user to connect via
dial up (RAS).
> This may be useful until you can get the VPN solution working. If the
user's password has
> expired, you, as an AD administrator, can set their password to a new
value. Then, when
> the user logs on using Dial Up Networking, they can specify the new
password and the
> cached credentials on the laptop will be updated.
>
>
> --
>
> Bruce Sanderson MVP
> bruce.sanderson@gems6.gov.bc.ca
>
> It is perfectly useless to know the right answer to the wrong question.
>
> "Dan DeStefano, MCSA, MCP, A+, Net+" <ddestefano@winmarcompanies.com>
wrote in message
> news:ehvR#Nt9BHA.2512@tkmsftngp05...
> > you can try to enable the option "password never expires" for her user
> > account (note: this should only be temporary as this presents a security
> > risk, especially for a remote user). however, this may not work if the
> > password has already expired but you can give it a try. i have one
question:
> > if she cannot connect to the domain then how has she been logging on to
her
> > machine? cached credentials? if so, her password changing is not going
to be
> > her only problem because, by default, cached credentials will only last
for
> > 10 logons.
> >
> > Dan DeStefano
> >
> > "Craig S" <none@none.com> wrote in message
> > news:YkfC8.310$xq4.5764@twister.rdc-kc.rr.com...
> > > I have one single user that used to be on the local domain with the
> > standard
> > > password expiration policy (changed every 45 days) but then moved
2,000
> > > miles away and took the laptop with her. I don't have any VPN/RAS
setup
> > yet
> > > (and wont for a few weeks) Now her password is expiring, and she has
been
> > > unable to change it because it reports "Unable to change password
because
> > > domain <domainname> is unavailable"
> > >
> > > Is there any way to change her password from her PC without connecting
to
> > my
> > > domain? I really don't have any way setup for her to get in to the
> > domain,
> > > but she needs to keep working using her existing account/profile.
> > >
> > > Help!?
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Cached Credentials causing problems with shares?
    ... logon to the machine locally and then connect to the shares over the VPN. ... But I'm trying to access the shares while connected to a VPN ... on using cached credentials so it can contact the domain controllers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cached Credentials causing problems with shares?
    ... The other workaround is to logon locally and map a drive. ... It is almost as if the cached credentials are preventing from getting a kerb ... logon to the machine locally and then connect to the shares over the VPN. ... it sounds like the tickets ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to change password?
    ... No he will not be able to logon with cached credentials unless he knows the ... still allow him access to the domain through the VPN not being able to logon ... use a local admin account to get into the laptop and is able to connect to ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cannot authenticate remote user to share
    ... Have her try to logon to the domain via vpn using the ... > domain name also which can be configured in the properties of the vpn connectoid. ... If she uses her laptop on the lan. ... but not when using the cached credentials when disconnected. ...
    (microsoft.public.security)
  • Re: Remote User Needs to Change PWD without connecting to domain
    ... I think you are misinterpreting the "10 logon" settings. ... not the number of times that a single user can logon with cached credentials. ... > you can try to enable the option "password never expires" for her user> account ...
    (microsoft.public.win2000.security)