Active Directory Password Changes...

TechLarry

TechLarry

RIP [H] Brother - June 1, 2022
Joined
Aug 9, 2005
Messages
30,481
This is for you really deep AD Admins :)

I have a problem where offsite users change their passwords using an online system, but because they do it offsite and are not on the LAN, the change does not migrate to their local password cache on the machine. The next time they boot, they cannot log in unless they use the old password. However all thier other accounts are now the new password.

Is there a command, or anything, that can force a migration of the password to the local cache through a VPN tunnel?

Be advised, I have no control over the back-end and cannot change or make recommendations on that. I can only deal with what I have on the client side, if there is anything.

Thanks
 
While the user is connected to the VPN tunnel, have them lock their workstation (ctrl+alt+del then Lock Computer) and then unlock it with the new password. This will force the OS to pull the new password from Active Directory and update the local cache.
 
Speeding Texan said:
While the user is connected to the VPN tunnel, have them lock their workstation (ctrl+alt+del then Lock Computer) and then unlock it with the new password. This will force the OS to pull the new password from Active Directory and update the local cache.
Click to expand...

That is exactly correct. It is worth it to create a nice document for your users on when this will happen, what to do to fix it, things it will effect, etc. For remote users I send out the nice doc and get no more questions about it.
 
Ok, a new wrinkle...

This works fine IF the user can log into the account in question. But if they are off the LAN, and cannot log into that account because of the password issues, the trick won't work.

Even logging into a backup account that has admin privs won't do it. You have to be logged into the actual account you want to change.

Anyone got one more trick up their sleeves for this one :)
 
TechLarry said:
Ok, a new wrinkle...

This works fine IF the user can log into the account in question. But if they are off the LAN, and cannot log into that account because of the password issues, the trick won't work.

Even logging into a backup account that has admin privs won't do it. You have to be logged into the actual account you want to change.

Anyone got one more trick up their sleeves for this one :)
Click to expand...

Their only option is logging in with the old cached credentials first.
 
NotSoSimple said:
That is exactly correct. It is worth it to create a nice document for your users on when this will happen, what to do to fix it, things it will effect, etc. For remote users I send out the nice doc and get no more questions about it.
Click to expand...

This works well.

I have a "how to see if the thin client is on" how-to I am putting on the shop floor. So many times I walk across the way to simply turn the unit on:rolleyes: After that, it's all automatic to the server:)
 
NotSoSimple said:
Correct. Otherwise get a VPN client that preserves the connection when you log out, and then have them log in on the domain.
Click to expand...

If you have a Cisco VPN setup, the Cisco client allows this type of operation under the options Windows Logon Properties menu. It will allow you to keep a VPN connection even logged out as well as pre-autheticate to a VPN connection prior to logging into the machine. Very nice.
 
QHalo said:
If you have a Cisco VPN setup, the Cisco client allows this type of operation under the options Windows Logon Properties menu. It will allow you to keep a VPN connection even logged out as well as pre-autheticate to a VPN connection prior to logging into the machine. Very nice.
Click to expand...

How do you terminate the VPN? Can you do it at the server or something?

I tried terminating it into the router once but the config was so messy and complicated it wasn't work.
 
I would assume by just shutting the machine down. Leaving it logged in would still keep the network connection active. This is purely speculation of course as I wouldn't see any reason to keep a VPN connection active if I wasn't logged in. But it seems logical.
 
If you're using a standard Windows VPN connection, you can choose "for any user" while creating it. Then if you check the "dialup" box, you can choose the VPN connection and the PC will logon as if it were directly on the LAN. Passwords get updated, domain logon scripts run, etc.

I took this one step further with our cellular cards. I configured a copy of the VPN connection (since they still use the regular VPN connection elsewhere) to require the cell connection. At logon, they check the dialup box and choose this VPN connection. It tries to connect to the VPN during logon, which triggers the cell card to connect. It's a bit complicated, but it works nicely once the user is trained to click on the right option. They just check a box and pick the right thing, and everything connects and works automatically.
 
SecureClient.

I may have found a way around this, but it is quite convoluted and requires further testing, and I'm also concerned about the Novell Gina getting screwed up in the process.

QHalo said:
If you have a Cisco VPN setup, the Cisco client allows this type of operation under the options Windows Logon Properties menu. It will allow you to keep a VPN connection even logged out as well as pre-autheticate to a VPN connection prior to logging into the machine. Very nice.
Click to expand...
 
You must log in or register to reply here.
Back
Top