Re: Remote User Needs to Change PWD without connecting to domain
From: Bruce Sanderson (Bruce.Sanderson@junk.junk)
Date: 05/09/02
- Next message: Amiri Jones [MVP]: "Re: disbaling access to programs"
- Previous message: Carlos: "Security and Performance Implications of Running SQLServer on my Domain Server"
- In reply to: Hemsell: "Re: Remote User Needs to Change PWD without connecting to domain"
- Next in thread: Craig S: "Re: Remote User Needs to Change PWD without connecting to domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bruce Sanderson" <Bruce.Sanderson@junk.junk> Date: Thu, 9 May 2002 09:46:29 -0700
You don't need to edit the registry directly to change the number of cached logons. See
my earlier post in this thread.
See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q242536 for turning on the
notification of logon with cached credentials.
Tod Hemsell:
The maximum number (defaults to 10) for cached logons is for Domain accounts only. For
local accounts, the password can always be verified and group membership determined, so
there is no concept of "cached credentials" for those accounts.
Unless the number is changed from the default, only the last 10 accounts to logon while
network connected would be "cached". This number can be increased to a maximum of 50
(Computer Configuration, Windows Settings, Security Settings, Local Policy, Security
Options). Note that the Help says you can supply a larger number, but only 50 accounts
would actually be cached.
I suspect that a better alternative (than having everyone logon to the laptop
"initially"), would be for a person to logon with the laptop network connected immediately
before that person takes the laptop out of the office. That way, their current
credentials (password and group membership) would be refreshed on the laptop. Presumably,
you have a password policy set to force passwords to expire; the password cached on the
laptop would only be refreshed when the user actually logged on while the laptop is
network connected. Perhaps the users had trouble logging on because they could not
remember their "old" password.
-- Bruce Sanderson MVP bruce.sanderson@gems6.gov.bc.ca It is perfectly useless to know the right answer to the wrong question. "Hemsell" <todd_hemsell@administaff.com> wrote in message news:uG288g29BHA.2544@tkmsftngp07... > On our windows NT machines users receive the no domain controller > notification. > With Windows 2000 User DO NOT receive any notification. > > Any idea where the setting is that notifies users they have not > authenticated is? > > > > "Craig S" <none@none.com> wrote in message > news:BevC8.3064$xq4.116094@twister.rdc-kc.rr.com... > > Here it is: > > > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172931 > > > > > > "Hemsell" <todd_hemsell@administaff.com> wrote in message > > news:OHULZX19BHA.2644@tkmsftngp03... > > > We add the user as a local admin. > > > Before we did that we were having issues with users being unable to > logon > > to > > > shared laptops. > > > Initially we setup the shared laptop and logged all the people that > would > > be > > > sharing it one time. > > > When they would take the laptop in the field they were unable to logon > > > (sometimes months later)..... > > > We added them as local admin and now all are able to share it. > > > Is there an exception to the 10 users if they are local admins? > > > > > > where can I find this registry setting, I have searched all oved the > > > knowledge base (I am not good with it) and Google (I am pretty good with > > it) > > > > > > I enjoy reading your posts Bruce, they are always extremely lucid. > > > > > > > > > Todd > > > > > > "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message > > > news:em40myv9BHA.1368@tkmsftngp04... > > > > I think you are misinterpreting the "10 logon" settings. See the > quote > > > below from the > > > > gpedit Help for "Number of previous logons to cache..." (Computer > > > Configuration, Windows > > > > Settings, Security Settings, Local Policy, Security Options). > > > > > > > > "Logon information for domain accounts can be cached locally so that, > in > > > the event a > > > > domain controller cannot be contacted on subsequent logons, a user can > > > still log on. This > > > > setting determines the number of unique users for which logon > > information > > > is cached > > > > locally." > > > > > > > > The number (which defaults to 10) is the number of user account > > > credentials that are > > > > cached, not the number of times that a single user can logon with > cached > > > credentials. You > > > > can test this yourself by setting this number to a low value (e.g. 1), > > > then logging on > > > > without a network connection a few times. > > > > > > > > Has the password actually "expired" and does the user actually have a > > > problem? The reason > > > > for asking is that I seem to recall that the password expiration > policy > > is > > > not "enforced" > > > > when cached credentials are used to logon locally. The next time the > > > computer can > > > > communicate with the Domain, the user will be prompted to change their > > > password. > > > > > > > > A possible solution to your dilema is to allow the user to connect via > > > dial up (RAS). > > > > This may be useful until you can get the VPN solution working. If the > > > user's password has > > > > expired, you, as an AD administrator, can set their password to a new > > > value. Then, when > > > > the user logs on using Dial Up Networking, they can specify the new > > > password and the > > > > cached credentials on the laptop will be updated. > > > > > > > > > > > > -- > > > > > > > > Bruce Sanderson MVP > > > > bruce.sanderson@gems6.gov.bc.ca > > > > > > > > It is perfectly useless to know the right answer to the wrong > question. > > > > > > > > "Dan DeStefano, MCSA, MCP, A+, Net+" <ddestefano@winmarcompanies.com> > > > wrote in message > > > > news:ehvR#Nt9BHA.2512@tkmsftngp05... > > > > > you can try to enable the option "password never expires" for her > user > > > > > account (note: this should only be temporary as this presents a > > security > > > > > risk, especially for a remote user). however, this may not work if > the > > > > > password has already expired but you can give it a try. i have one > > > question: > > > > > if she cannot connect to the domain then how has she been logging on > > to > > > her > > > > > machine? cached credentials? if so, her password changing is not > going > > > to be > > > > > her only problem because, by default, cached credentials will only > > last > > > for > > > > > 10 logons. > > > > > > > > > > Dan DeStefano > > > > > > > > > > "Craig S" <none@none.com> wrote in message > > > > > news:YkfC8.310$xq4.5764@twister.rdc-kc.rr.com... > > > > > > I have one single user that used to be on the local domain with > the > > > > > standard > > > > > > password expiration policy (changed every 45 days) but then moved > > > 2,000 > > > > > > miles away and took the laptop with her. I don't have any VPN/RAS > > > setup > > > > > yet > > > > > > (and wont for a few weeks) Now her password is expiring, and she > has > > > been > > > > > > unable to change it because it reports "Unable to change password > > > because > > > > > > domain <domainname> is unavailable" > > > > > > > > > > > > Is there any way to change her password from her PC without > > connecting > > > to > > > > > my > > > > > > domain? I really don't have any way setup for her to get in to > the > > > > > domain, > > > > > > but she needs to keep working using her existing account/profile. > > > > > > > > > > > > Help!? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Amiri Jones [MVP]: "Re: disbaling access to programs"
- Previous message: Carlos: "Security and Performance Implications of Running SQLServer on my Domain Server"
- In reply to: Hemsell: "Re: Remote User Needs to Change PWD without connecting to domain"
- Next in thread: Craig S: "Re: Remote User Needs to Change PWD without connecting to domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
