Re: VPN and Password Policy

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 09/22/04 

Date: Wed, 22 Sep 2004 00:43:08 GMT

I know of no official document and it seems to vary depending on VPN client. I have
had success changing an expired password using the built in Windows 2000/XP VPN
client in that after a VPN logon to the domain I was informed that my password had
expired and was given the change to change it which worked. A problem arises if a
user is logging onto their computer using cached credentials for the domain. In that
case if the password has expired I was able to change it but was denied access to
domain shares. The reason is that the "cached credentials" are not updated when you
change the password over the VPN. I found that after changing my password via VPN, if
I immediately locked and unlocked my computer with the "new" password that the cached
credentials are updated and was able to access domain resources. Note that you might
have better luck if you train users to logon to the VPN using the domain name also
instead of just username and password. This can be configured in the VPN connections
properties for the MS built in VPN client. Once logged onto the domain via VPN, the
users should be able to change their domain password by using ctrl-alt-delete/change
password which you may want to have them try before you implement the policy and then
remind them to do such before their password expires. Note that users who have their
account properties configured for "password never expires" will not be subject to
maximum password age policy and those users that currently have a password older than
maximum password age will immediately have expired passwords. There is a free tool
from SomarSoft called dumpsec that can display the last time a user changed their
password. --- Steve

"greg@b101fm.com" <anonymous@discussions.microsoft.com> wrote in message
news:010601c4a004$28ec61b0$a401280a@phx.gbl...
> We have a windows 2000 server and a windows 2000 remote
> access server. We are planning on changing Group Policy
> to force passwords to change every 60 days. I was
> wondering what might happen to remote users when they
> connect to the network and thier password has expired. If
> anyone knows of a good document that describes this, that
> would be great.
>
> Thanks.

Relevant Pages

  • Re: /sigh/ Latops in a domain...
    ... The password never expires option violates our Sarbanes-Oxley ... my understanding of this issue is: The laptop users cannot ... > access the file share via VPN due to their password expiration. ... > policy similar with "Password never expires" on this Group. ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Remote computer
    ... If your DC is not available over the VPN then you have not choice but to set ... his password to never expires as access to a domain controller is mandatory ... network and access some terminal servers. ... That's fine - the laptop will use the cached password for the domain ...
    (microsoft.public.windowsxp.security_admin)
  • RE: VPN
    ... Run CEICW on SBS ... You have to rerun the CEICW to make sure your SBS 2003 server have right ... Click Next, click Enable Remote Access, click to select the VPN Access ... Please ensure the VPN client computers' DNS and WINS are your SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: Cico 800 (836) VPN to Internet NAT
    ... I have this cisco 836 providing NAT for all the internal networks. ... I also have a VPN that is working normaly for the internal networks ... Router and VPN Client for Public Internet on a Stick Configuration ...
    (comp.dcom.sys.cisco)
  • RE: VPN and Cisco +IIOP question
    ... Leon is right in that the Cisco VPN Client 1.1a won't work with ... Win2k/XP, and the version 3 client won't work with a router based vpn, ... If you are not the intended recipient or the person ... VPN and Cisco +IIOP question ...
    (Security-Basics)