Re: Remote User Needs to Change PWD without connecting to domain

From: Hemsell (todd_hemsell@administaff.com)
Date: 05/09/02


From: "Hemsell" <todd_hemsell@administaff.com>
Date: Thu, 9 May 2002 09:45:59 -0500


On our windows NT machines users receive the no domain controller
notification.
With Windows 2000 User DO NOT receive any notification.

Any idea where the setting is that notifies users they have not
authenticated is?

"Craig S" <none@none.com> wrote in message
news:BevC8.3064$xq4.116094@twister.rdc-kc.rr.com...
> Here it is:
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172931
>
>
> "Hemsell" <todd_hemsell@administaff.com> wrote in message
> news:OHULZX19BHA.2644@tkmsftngp03...
> > We add the user as a local admin.
> > Before we did that we were having issues with users being unable to
logon
> to
> > shared laptops.
> > Initially we setup the shared laptop and logged all the people that
would
> be
> > sharing it one time.
> > When they would take the laptop in the field they were unable to logon
> > (sometimes months later).....
> > We added them as local admin and now all are able to share it.
> > Is there an exception to the 10 users if they are local admins?
> >
> > where can I find this registry setting, I have searched all oved the
> > knowledge base (I am not good with it) and Google (I am pretty good with
> it)
> >
> > I enjoy reading your posts Bruce, they are always extremely lucid.
> >
> >
> > Todd
> >
> > "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
> > news:em40myv9BHA.1368@tkmsftngp04...
> > > I think you are misinterpreting the "10 logon" settings. See the
quote
> > below from the
> > > gpedit Help for "Number of previous logons to cache..." (Computer
> > Configuration, Windows
> > > Settings, Security Settings, Local Policy, Security Options).
> > >
> > > "Logon information for domain accounts can be cached locally so that,
in
> > the event a
> > > domain controller cannot be contacted on subsequent logons, a user can
> > still log on. This
> > > setting determines the number of unique users for which logon
> information
> > is cached
> > > locally."
> > >
> > > The number (which defaults to 10) is the number of user account
> > credentials that are
> > > cached, not the number of times that a single user can logon with
cached
> > credentials. You
> > > can test this yourself by setting this number to a low value (e.g. 1),
> > then logging on
> > > without a network connection a few times.
> > >
> > > Has the password actually "expired" and does the user actually have a
> > problem? The reason
> > > for asking is that I seem to recall that the password expiration
policy
> is
> > not "enforced"
> > > when cached credentials are used to logon locally. The next time the
> > computer can
> > > communicate with the Domain, the user will be prompted to change their
> > password.
> > >
> > > A possible solution to your dilema is to allow the user to connect via
> > dial up (RAS).
> > > This may be useful until you can get the VPN solution working. If the
> > user's password has
> > > expired, you, as an AD administrator, can set their password to a new
> > value. Then, when
> > > the user logs on using Dial Up Networking, they can specify the new
> > password and the
> > > cached credentials on the laptop will be updated.
> > >
> > >
> > > --
> > >
> > > Bruce Sanderson MVP
> > > bruce.sanderson@gems6.gov.bc.ca
> > >
> > > It is perfectly useless to know the right answer to the wrong
question.
> > >
> > > "Dan DeStefano, MCSA, MCP, A+, Net+" <ddestefano@winmarcompanies.com>
> > wrote in message
> > > news:ehvR#Nt9BHA.2512@tkmsftngp05...
> > > > you can try to enable the option "password never expires" for her
user
> > > > account (note: this should only be temporary as this presents a
> security
> > > > risk, especially for a remote user). however, this may not work if
the
> > > > password has already expired but you can give it a try. i have one
> > question:
> > > > if she cannot connect to the domain then how has she been logging on
> to
> > her
> > > > machine? cached credentials? if so, her password changing is not
going
> > to be
> > > > her only problem because, by default, cached credentials will only
> last
> > for
> > > > 10 logons.
> > > >
> > > > Dan DeStefano
> > > >
> > > > "Craig S" <none@none.com> wrote in message
> > > > news:YkfC8.310$xq4.5764@twister.rdc-kc.rr.com...
> > > > > I have one single user that used to be on the local domain with
the
> > > > standard
> > > > > password expiration policy (changed every 45 days) but then moved
> > 2,000
> > > > > miles away and took the laptop with her. I don't have any VPN/RAS
> > setup
> > > > yet
> > > > > (and wont for a few weeks) Now her password is expiring, and she
has
> > been
> > > > > unable to change it because it reports "Unable to change password
> > because
> > > > > domain <domainname> is unavailable"
> > > > >
> > > > > Is there any way to change her password from her PC without
> connecting
> > to
> > > > my
> > > > > domain? I really don't have any way setup for her to get in to
the
> > > > domain,
> > > > > but she needs to keep working using her existing account/profile.
> > > > >
> > > > > Help!?
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: Huh? "Login failure: the user has not been granted the requested logon type at this compute
    ... I'm a pretty experienced Windows user and programmer, ... the user has not been granted the requested logon type ... on the appropriate OU to see the Group Policy for that OU]. ... > administrators' group to the domain controller. ...
    (microsoft.public.security)
  • Re: Domain authenticating non-domain accounts
    ... I limited the tests to Windows ... a machine running Windows 98 can still access file shares ... for a logon but were able to authenticate me as long as I entered the same ... it does not explain why this domain controller was LESS strict about ...
    (microsoft.public.platformsdk.security)
  • Re: cached logons
    ... Microsoft Windows 2000 Security Hardening Guide ... Disable Caching of Logon Information ... If the Domain Controller cannot be found during logon ... how many user account entries Windows 2000 saves in the logon cache ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Windows 2003 member server with Windows 2000 Domain Controller
    ... If anyone is having a Windows 2003 member server with a Windows 2000 ... Windows cannot obtain the domain controller name for your computer ... There are currently no logon servers available to service the logon ...
    (microsoft.public.win2000.security)
  • Re: How to force a logoff in a logon script?
    ... Windows has a registry key that governs which UI will be presented ... the unauthorized user cancels the logon dialog and goes away ... system, but complains that there was no cancel button, only an OK ...
    (microsoft.public.windows.server.scripting)