Credentials problem.

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi folks,

He have a user who is using his laptop from home, normally he can login LOCALLY onto the domain from his laptop.

(Because he has cached credentials locally on the laptop)

His password expired today, and now he can't logon locally to the domain.

I'm thinking that because our GPO which is enforced on his domain account which says that password expires in so many days, now his password has expired, the account is totally locked locally and because we cant hook him up to our network, he can't simply plug in an Ethernet cable and then be connected to our DC at the login screen so that when he tries to login, it tells him to change his password because the GPO on the DC will enforce it.

I'm now thinking that the best course of action would either phone up the user and get him to set up a VPN by logging into the default administrator account then on the VPN connection get him to sign in with his domain account, therefore enforcing him to change his password.

(I have unlocked his account in Active Directory and changed the password)

But the problem I can see with that it still wont changed the cached credentials locally in the Registry.

A Google search of finding how to solve this problem (Expired cached credentials when not connected to the Domain Controller) hasnt turned up anything of any use.

(Looked at Microsoft Support, small article oh whats happening, but not how to solve it ty MS!)

Obviously the simple solution would be to plug his laptop into the network here and it would all be solved

Any ideas guys?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

As far as I know... no.

You have two options:-

1. Set up a VPN and then get the user to change their password whilst connected (Windows Key + L to lock the computer and then unlock will prompt the user for a password change).

2. If you use OWA I'm almost positive you can get a user to change their password using this. This methd wouldn't mean any fiddling around with VPN's etc but I don't think the option is available by default.

EDIT - Here is the MS support article for enabling the change password feature through OWA... but it seems like a ballache. - http://support.microsoft.com/kb/297121 Here's a link to a guide doing it through Exchange 2003 - http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003.htm

3. Do they need to be connected to the domain? They can always just log on with local administrative rights and access all of their files/folders like this until they're next in the office. (Obviously there is the whole thing about admin security yadda yadda, but if you need a quick fix...)

If I think of anything else then I'll let you know matey.

Qs

 

If this user works away from site quite often, would it be better to setup the user with a local account and remove the laptop from the domain?

We have a couple of people who come into the office sometimes, but are also floating around the coutry a fair amount too. Having a local account on the laptop and then setting local account restrictions help, and i dont have the problem of expired password etc when they are in the Outer Hebrides of Scotland

 

But then you have the problem that if their laptop dies unexpectedly (and you're not using a network store/shadow copies etc) that their files aren't recoverable. At least if you're using cached credentials then synchronization occurs with offline files on logon/logoff so you have a regular backup.

Alternatively - next time just set the password to never expire

Qs

 

@ Qs

Option 1 you suggested is the method my co-worker recommended as were both on this problem, best thing to do right now, so thanks!

@ flounder10

I know what you mean :P But our password policy is that you MUST change your password when it says it is going to expire, unfortunately, you get people like this, but thats how it goes. This was his personally maintained laptop, so there SHOULD be a local account, but yet again, unfortunately this guy chose to ignore our advice from the beginning.

I will keep you guys up to date as much as I can.

Thanks for the help guys!

 

Not sure how many field/OWA users we are talking about here, but you may want to take a look at software that will remind users of their passwords expiry.

Linky.

Simon

 

A zillion and one thanks for the link mate..

- Automatically email users a reminder in advance of domain password expiration
- Notify HR or management group about upcoming temporary accounts about to expire
- Eliminate user frustration and support calls due to expired user accounts and passwords
- Send expiration reminders to any email address- Public email, Notes, GroupWise, etc.
- Use the Report Console to spot audit all AD user objects easily for compliance efforts
- Easy to install, can be tested silently in your domain without disturbing any users
- No scripting or coding, installation does not modify your domain, DC or mail server
- Expiring password reminders are customizable and 'personalized' to each user by name
- Support your change password policy easily for external users (OWA, VPN, Contractors)
- Receive detailed daily audit report for password expiring and date expiring user accounts

Cant get better than this

 

I have to agree with Obinna Osobalu!

Great link !

Btw guys, I'm about to ring the guy now, I'm going to use the VPN option aswell as Remote Desktop to his laptop.

Plus many other things :P

I will post my results when I'm done.

Cheers guy!

 

Pleased it helped!

Simon

 

Ah yes... sorry, didn't think about that one

Ill zip it now

 

Problem Solved! (Kinda)

We've found a way around the problem.

Rung him up, asked him to login using the local administrator account then walked him through him though creating a VPN to us, when he created one, Remote Desktoped to his PC, told him to leave it with me for 10 minutes.

Created a new user account from him which is local, moved the information from his domain profile to his local one, so he has everything.

Then verified for myself if he had a local user account in Computer Management, he didnt, yet the domain profile he uses to log on locally had all the stuff he stored on the C:\ drive (if anyone doesnt understand what I mean by this, please just ask :P) from when he was connected to the domain (makes sense).

Then setup his PDA, business links, stuff he's required to have by policy, etc etc.

Done

Earlier in the day though we tried to simulate what was happening to him, we simulated it successfuly and went into the Registry and copied the latest cached file from the domain controller which logs the credentials in the domain Registry (cant remember exactly what we did there, blur xD) and pasted them into the Registry of the computer having the problem (like the user was having) but didnt work.

Ah well, you live and learn.

Thanks guys for your suggestions!

 

A bit old i know:

there is an option in Cisco VPN client to stay connected when logging off.

Log on as Admin, connect to VPN and choose option to stay connected, log off, log in and would it not then authenticate with the DC?

 

The OP is over two (almost three) months old...

Qs

 

thats why i said it is a bit old first. Doesn't stop it being helpful to someone else who finds this thread through google (as i did)