1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Credentials problem.

Discussion in 'Networks' started by Daniel, Dec 4, 2008.

  1. Daniel

    Daniel Byte Poster

    236
    6
    25
    Hi folks,

    He have a user who is using his laptop from home, normally he can login LOCALLY onto the domain from his laptop.

    (Because he has cached credentials locally on the laptop)

    His password expired today, and now he can't logon locally to the domain.

    I'm thinking that because our GPO which is enforced on his domain account which says that password expires in so many days, now his password has expired, the account is totally locked locally and because we cant hook him up to our network, he can't simply plug in an Ethernet cable and then be connected to our DC at the login screen so that when he tries to login, it tells him to change his password because the GPO on the DC will enforce it.

    I'm now thinking that the best course of action would either phone up the user and get him to set up a VPN by logging into the default administrator account then on the VPN connection get him to sign in with his domain account, therefore enforcing him to change his password.

    (I have unlocked his account in Active Directory and changed the password)

    But the problem I can see with that it still wont changed the cached credentials locally in the Registry.

    A Google search of finding how to solve this problem (Expired cached credentials when not connected to the Domain Controller) hasnt turned up anything of any use.

    (Looked at Microsoft Support, small article oh whats happening, but not how to solve it :biggrin ty MS!)

    Obviously the simple solution would be to plug his laptop into the network here and it would all be solved :biggrin

    Any ideas guys? :biggrin
     
    Certifications: 70-270, 70-290, 70-291
    WIP: None, but learning SEO/SEM
  2. Qs

    Qs Semi-Honorary Member Gold Member

    3,081
    70
    171
    As far as I know... no.

    You have two options:-

    1. Set up a VPN and then get the user to change their password whilst connected (Windows Key + L to lock the computer and then unlock will prompt the user for a password change).

    2. If you use OWA I'm almost positive you can get a user to change their password using this. This methd wouldn't mean any fiddling around with VPN's etc but I don't think the option is available by default.

    EDIT - Here is the MS support article for enabling the change password feature through OWA... but it seems like a ballache. - http://support.microsoft.com/kb/297121 Here's a link to a guide doing it through Exchange 2003 - http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003.htm

    3. Do they need to be connected to the domain? They can always just log on with local administrative rights and access all of their files/folders like this until they're next in the office. (Obviously there is the whole thing about admin security yadda yadda, but if you need a quick fix...)

    If I think of anything else then I'll let you know matey.

    Qs
     
    Certifications: MCT, MCSE: Private Cloud, MCSA (2008), MCITP: EA, MCITP: SA, MCSE: 2003, MCSA: 2003, MCITP: EDA7, MCITP: EDST7, MCITP: EST Vista, MCTS: Exh 2010, MCTS:ServerVirt, MCTS: SCCM07 & SCCM2012, MCTS: SCOM07, MCTS: Win7Conf, MCTS: VistaConf, MCDST, MCP, MBCS, HND: Applied IT, ITIL v3: Foundation, CCA
  3. flounder10

    flounder10 Nibble Poster

    83
    1
    17
    If this user works away from site quite often, would it be better to setup the user with a local account and remove the laptop from the domain?

    We have a couple of people who come into the office sometimes, but are also floating around the coutry a fair amount too. Having a local account on the laptop and then setting local account restrictions help, and i dont have the problem of expired password etc when they are in the Outer Hebrides of Scotland :)
     
    WIP: Net+, MCDST, MCSA, MCSE, CCNA, CCNP
  4. Qs

    Qs Semi-Honorary Member Gold Member

    3,081
    70
    171
    But then you have the problem that if their laptop dies unexpectedly (and you're not using a network store/shadow copies etc) that their files aren't recoverable. At least if you're using cached credentials then synchronization occurs with offline files on logon/logoff so you have a regular backup.

    Alternatively - next time just set the password to never expire :wink:

    Qs
     
    Certifications: MCT, MCSE: Private Cloud, MCSA (2008), MCITP: EA, MCITP: SA, MCSE: 2003, MCSA: 2003, MCITP: EDA7, MCITP: EDST7, MCITP: EST Vista, MCTS: Exh 2010, MCTS:ServerVirt, MCTS: SCCM07 & SCCM2012, MCTS: SCOM07, MCTS: Win7Conf, MCTS: VistaConf, MCDST, MCP, MBCS, HND: Applied IT, ITIL v3: Foundation, CCA
  5. Daniel

    Daniel Byte Poster

    236
    6
    25
    @ Qs

    Option 1 you suggested is the method my co-worker recommended as were both on this problem, best thing to do right now, so thanks! :biggrin

    @ flounder10

    I know what you mean :P But our password policy is that you MUST change your password when it says it is going to expire, unfortunately, you get people like this, but thats how it goes. This was his personally maintained laptop, so there SHOULD be a local account, but yet again, unfortunately this guy chose to ignore our advice from the beginning.

    I will keep you guys up to date as much as I can.

    Thanks for the help guys! :biggrin
     
    Certifications: 70-270, 70-290, 70-291
    WIP: None, but learning SEO/SEM
  6. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Not sure how many field/OWA users we are talking about here, but you may want to take a look at software that will remind users of their passwords expiry.

    Linky.

    Simon
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  7. Obinna Osobalu

    Obinna Osobalu Banned

    539
    7
    0
    A zillion and one thanks for the link mate..

    - Automatically email users a reminder in advance of domain password expiration
    - Notify HR or management group about upcoming temporary accounts about to expire
    - Eliminate user frustration and support calls due to expired user accounts and passwords
    - Send expiration reminders to any email address- Public email, Notes, GroupWise, etc.
    - Use the Report Console to spot audit all AD user objects easily for compliance efforts
    - Easy to install, can be tested silently in your domain without disturbing any users
    - No scripting or coding, installation does not modify your domain, DC or mail server
    - Expiring password reminders are customizable and 'personalized' to each user by name
    - Support your change password policy easily for external users (OWA, VPN, Contractors)
    - Receive detailed daily audit report for password expiring and date expiring user accounts

    Cant get better than this
     
    Certifications: MCITP:SA,MCTS(x5),MCSE2K3;MCSA2K3:M;MCP
    WIP: EDA7,70-652,Project+,MSP(70-632)
  8. Daniel

    Daniel Byte Poster

    236
    6
    25
    I have to agree with Obinna Osobalu!

    Great link :biggrin!

    Btw guys, I'm about to ring the guy now, I'm going to use the VPN option aswell as Remote Desktop to his laptop.

    Plus many other things :P

    I will post my results when I'm done.

    Cheers guy! :biggrin
     
    Certifications: 70-270, 70-290, 70-291
    WIP: None, but learning SEO/SEM
  9. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Pleased it helped!

    Simon
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  10. flounder10

    flounder10 Nibble Poster

    83
    1
    17
    Ah yes... sorry, didn't think about that one :oops:

    Ill zip it now :p
     
    WIP: Net+, MCDST, MCSA, MCSE, CCNA, CCNP
  11. Daniel

    Daniel Byte Poster

    236
    6
    25
    Problem Solved! (Kinda)

    We've found a way around the problem.

    Rung him up, asked him to login using the local administrator account then walked him through him though creating a VPN to us, when he created one, Remote Desktoped to his PC, told him to leave it with me for 10 minutes.

    Created a new user account from him which is local, moved the information from his domain profile to his local one, so he has everything.

    Then verified for myself if he had a local user account in Computer Management, he didnt, yet the domain profile he uses to log on locally had all the stuff he stored on the C:\ drive (if anyone doesnt understand what I mean by this, please just ask :P) from when he was connected to the domain (makes sense).

    Then setup his PDA, business links, stuff he's required to have by policy, etc etc.

    Done :biggrin

    Earlier in the day though we tried to simulate what was happening to him, we simulated it successfuly and went into the Registry and copied the latest cached file from the domain controller which logs the credentials in the domain Registry (cant remember exactly what we did there, blur xD) and pasted them into the Registry of the computer having the problem (like the user was having) but didnt work.

    Ah well, you live and learn.

    Thanks guys for your suggestions! :biggrin
     
    Certifications: 70-270, 70-290, 70-291
    WIP: None, but learning SEO/SEM
  12. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    A bit old i know:

    there is an option in Cisco VPN client to stay connected when logging off.

    Log on as Admin, connect to VPN and choose option to stay connected, log off, log in and would it not then authenticate with the DC?
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  13. Qs

    Qs Semi-Honorary Member Gold Member

    3,081
    70
    171
    The OP is over two (almost three) months old...

    Qs
     
    Certifications: MCT, MCSE: Private Cloud, MCSA (2008), MCITP: EA, MCITP: SA, MCSE: 2003, MCSA: 2003, MCITP: EDA7, MCITP: EDST7, MCITP: EST Vista, MCTS: Exh 2010, MCTS:ServerVirt, MCTS: SCCM07 & SCCM2012, MCTS: SCOM07, MCTS: Win7Conf, MCTS: VistaConf, MCDST, MCP, MBCS, HND: Applied IT, ITIL v3: Foundation, CCA
  14. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    thats why i said it is a bit old first. Doesn't stop it being helpful to someone else who finds this thread through google (as i did)
     
    Certifications: CCENT, CCNA
    WIP: CCNP

Share This Page

Loading...