Re: Remote User Needs to Change PWD without connecting to domain
From: Bruce Sanderson (Bruce.Sanderson@junk.junk)
Date: 05/22/02
- Next message: Oliver Marshall: "Allowing a user from one pc to access a file on another (in a WORKGROUP)"
- Previous message: Bornaz Lucian: "Security Issue?"
- In reply to: Dan DeStefano, MCSA, MCP, A+, Net+: "Re: Remote User Needs to Change PWD without connecting to domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bruce Sanderson" <Bruce.Sanderson@junk.junk> Date: Tue, 21 May 2002 15:17:12 -0700
My Domain's account expired on the weekend. Knowing it would expire, I unplugged my
computer from the network before leaving work on Friday. This morning, with no network
connected, I logged on locally with the old password. The password had been expired for
at least 2 days.
Then, I plugged in the Ethernet cable. Everything worked OK until I tried to access a
Domain resource. I was told that access is denied.
Then, I logged off and logged on again with the new password and everthing was OK again.
So, I conclude from this experiment that the password in cached credentials does not
expire.. There will be a problem if the computer is connected to the network after the
logon with cached credentials. The solution to that is to connect to the network, then
logon. This can be accomplished using "Logon with Dial Up Networking".
-- Bruce Sanderson MVP bruce.sanderson@gems6.gov.bc.ca It is perfectly useless to know the right answer to the wrong question. "Dan DeStefano, MCSA, MCP, A+, Net+" <ddestefano@winmarcompanies.com> wrote in message news:epN67KQACHA.2164@tkmsftngp04... > thanks for clearing that up. so, the problem was not that 10 logons were > exceded, but rather that the user had continued to use the cached > credentials to log on and eventually the password expired. > > Dan > > "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message > news:em40myv9BHA.1368@tkmsftngp04... > > I think you are misinterpreting the "10 logon" settings. See the quote > below from the > > gpedit Help for "Number of previous logons to cache..." (Computer > Configuration, Windows > > Settings, Security Settings, Local Policy, Security Options). > > > > "Logon information for domain accounts can be cached locally so that, in > the event a > > domain controller cannot be contacted on subsequent logons, a user can > still log on. This > > setting determines the number of unique users for which logon information > is cached > > locally." > > > > The number (which defaults to 10) is the number of user account > credentials that are > > cached, not the number of times that a single user can logon with cached > credentials. You > > can test this yourself by setting this number to a low value (e.g. 1), > then logging on > > without a network connection a few times. > > > > Has the password actually "expired" and does the user actually have a > problem? The reason > > for asking is that I seem to recall that the password expiration policy is > not "enforced" > > when cached credentials are used to logon locally. The next time the > computer can > > communicate with the Domain, the user will be prompted to change their > password. > > > > A possible solution to your dilema is to allow the user to connect via > dial up (RAS). > > This may be useful until you can get the VPN solution working. If the > user's password has > > expired, you, as an AD administrator, can set their password to a new > value. Then, when > > the user logs on using Dial Up Networking, they can specify the new > password and the > > cached credentials on the laptop will be updated. > > > > > > -- > > > > Bruce Sanderson MVP > > bruce.sanderson@gems6.gov.bc.ca > > > > It is perfectly useless to know the right answer to the wrong question. > > > > "Dan DeStefano, MCSA, MCP, A+, Net+" <ddestefano@winmarcompanies.com> > wrote in message > > news:ehvR#Nt9BHA.2512@tkmsftngp05... > > > you can try to enable the option "password never expires" for her user > > > account (note: this should only be temporary as this presents a security > > > risk, especially for a remote user). however, this may not work if the > > > password has already expired but you can give it a try. i have one > question: > > > if she cannot connect to the domain then how has she been logging on to > her > > > machine? cached credentials? if so, her password changing is not going > to be > > > her only problem because, by default, cached credentials will only last > for > > > 10 logons. > > > > > > Dan DeStefano > > > > > > "Craig S" <none@none.com> wrote in message > > > news:YkfC8.310$xq4.5764@twister.rdc-kc.rr.com... > > > > I have one single user that used to be on the local domain with the > > > standard > > > > password expiration policy (changed every 45 days) but then moved > 2,000 > > > > miles away and took the laptop with her. I don't have any VPN/RAS > setup > > > yet > > > > (and wont for a few weeks) Now her password is expiring, and she has > been > > > > unable to change it because it reports "Unable to change password > because > > > > domain <domainname> is unavailable" > > > > > > > > Is there any way to change her password from her PC without connecting > to > > > my > > > > domain? I really don't have any way setup for her to get in to the > > > domain, > > > > but she needs to keep working using her existing account/profile. > > > > > > > > Help!? > > > > > > > > > > > > > > > > > > > >
- Next message: Oliver Marshall: "Allowing a user from one pc to access a file on another (in a WORKGROUP)"
- Previous message: Bornaz Lucian: "Security Issue?"
- In reply to: Dan DeStefano, MCSA, MCP, A+, Net+: "Re: Remote User Needs to Change PWD without connecting to domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
