Jump to content

Password Policy + Cached user

Guest FL

By Guest FL
in Windows 2003 Server

 Share

Recommended Posts

Guest FL

Guest FL

Posted
Posted

We have some users who mainly work on the road and rarely come into the

office. The user logs in cached and then will vpn to the office if required

for network files, etc... Mail is connected via Outlook RPC.

 

If we enable password policy for these users, they will get a message after

they run a vpn connection to the office that the password will need to be

changed but can't log off and log in as their VPN will drop. We are not

using the Microsoft VPN so selecting the "Logon Using Dial-Up Connection"

doesn't work with 3rd party VPN.

 

What options (if any) do we have to ensure a cached user still requires a

password change but can still log on successfully in cached mode?

  • Replies 4
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Password Policy + Cached user

 

FL <FL@discussions.microsoft.com> wrote:

> We have some users who mainly work on the road and rarely come into

> the office. The user logs in cached and then will vpn to the office

> if required for network files, etc... Mail is connected via Outlook

> RPC.

>

> If we enable password policy for these users, they will get a message

> after they run a vpn connection to the office that the password will

> need to be changed but can't log off and log in as their VPN will

> drop. We are not using the Microsoft VPN so selecting the "Logon

> Using Dial-Up Connection" doesn't work with 3rd party VPN.

>

> What options (if any) do we have to ensure a cached user still

> requires a password change but can still log on successfully in

> cached mode?

 

I don't know of any way to let them both change their password & update

their laptops' cached credentials if they aren't in contact with a DC. They

can change passwords via OWA (if you enable that) but then they'll have two

passwords.

 

Re logging off - the password expiration change shouldn't prompt for a

logoff at all - but my comments above still stand.

 

For users who rarely come into contact with a DC except via remote access, I

don't join their computers to the domain at all. I don't see the point. They

can still use the VPN, still access remote resources, can still use RPC over

HTTP, etc. - just my $.02.

Guest Harry Bates

Guest Harry Bates

Posted
Posted

Re: Password Policy + Cached user

 

Newer OSes will ask the user to simply lock, and unlock the session with the

new password. For instance, if I am logged into 2 nodes and I change the

domain password with one node the other node, after a period of time will

say to lock and unlock in the taskbar. Not sure if this will help.

 

"FL" <FL@discussions.microsoft.com> wrote in message

news:6D661874-5B36-487F-9023-F3ACE036CF0E@microsoft.com...

> We have some users who mainly work on the road and rarely come into the

> office. The user logs in cached and then will vpn to the office if

> required

> for network files, etc... Mail is connected via Outlook RPC.

>

> If we enable password policy for these users, they will get a message

> after

> they run a vpn connection to the office that the password will need to be

> changed but can't log off and log in as their VPN will drop. We are not

> using the Microsoft VPN so selecting the "Logon Using Dial-Up Connection"

> doesn't work with 3rd party VPN.

>

> What options (if any) do we have to ensure a cached user still requires a

> password change but can still log on successfully in cached mode?

  • 1 month later...
Guest FL

Guest FL

Posted
Posted

Re: Password Policy + Cached user

 

We put the machines on the domain so that the users have access to folders

and drives after the VPN is connected and machines are restricted (gp

lockdown, etc..). We could leave them in a workgroup but then we have to map

drives with users name/passwords, etc and it gets a little ugly since they

run apps that require network services. The users are running Windows XP.

This would be no different than a laptop user who travells frequently and

will only come into the office 1 every couple of months. The problem is

the user could change the password once they are connected via VPN but upon

the next reboot, they can't log in as they have never logged in cached with

their new password (this is from a test we did). In this example, the user

could not log in with the old or new password. Once they brought the pc in

to the office, it connected no problem and log in cached with the new

password.

 

"Lanwench [MVP - Exchange]" wrote:

> FL <FL@discussions.microsoft.com> wrote:

> > We have some users who mainly work on the road and rarely come into

> > the office. The user logs in cached and then will vpn to the office

> > if required for network files, etc... Mail is connected via Outlook

> > RPC.

> >

> > If we enable password policy for these users, they will get a message

> > after they run a vpn connection to the office that the password will

> > need to be changed but can't log off and log in as their VPN will

> > drop. We are not using the Microsoft VPN so selecting the "Logon

> > Using Dial-Up Connection" doesn't work with 3rd party VPN.

> >

> > What options (if any) do we have to ensure a cached user still

> > requires a password change but can still log on successfully in

> > cached mode?

>

> I don't know of any way to let them both change their password & update

> their laptops' cached credentials if they aren't in contact with a DC. They

> can change passwords via OWA (if you enable that) but then they'll have two

> passwords.

>

> Re logging off - the password expiration change shouldn't prompt for a

> logoff at all - but my comments above still stand.

>

> For users who rarely come into contact with a DC except via remote access, I

> don't join their computers to the domain at all. I don't see the point. They

> can still use the VPN, still access remote resources, can still use RPC over

> HTTP, etc. - just my $.02.

>

>

>

>

  • 1 month later...
Guest Harry Bates

Guest Harry Bates

Posted
Posted

Re: Password Policy + Cached user

 

You may be able to get them to change their password, then lock and unlock

their node to pull in the new credentials while on the wire. I haven't tried

this yet, but theoretically, it should work. We have moved to a MSGINA setup

for VPNs in most cases however, so we don't have that problem any more.

 

Harry Bates

 

 

 

"FL" <FL@discussions.microsoft.com> wrote in message

news:9E450FE3-5DB7-4005-9FC7-A09AA5121877@microsoft.com...

> We put the machines on the domain so that the users have access to folders

> and drives after the VPN is connected and machines are restricted (gp

> lockdown, etc..). We could leave them in a workgroup but then we have to

> map

> drives with users name/passwords, etc and it gets a little ugly since they

> run apps that require network services. The users are running Windows XP.

> This would be no different than a laptop user who travells frequently and

> will only come into the office 1 every couple of months. The problem is

> the user could change the password once they are connected via VPN but

> upon

> the next reboot, they can't log in as they have never logged in cached

> with

> their new password (this is from a test we did). In this example, the

> user

> could not log in with the old or new password. Once they brought the pc

> in

> to the office, it connected no problem and log in cached with the new

> password.

>

> "Lanwench [MVP - Exchange]" wrote:

>

>> FL <FL@discussions.microsoft.com> wrote:

>> > We have some users who mainly work on the road and rarely come into

>> > the office. The user logs in cached and then will vpn to the office

>> > if required for network files, etc... Mail is connected via Outlook

>> > RPC.

>> >

>> > If we enable password policy for these users, they will get a message

>> > after they run a vpn connection to the office that the password will

>> > need to be changed but can't log off and log in as their VPN will

>> > drop. We are not using the Microsoft VPN so selecting the "Logon

>> > Using Dial-Up Connection" doesn't work with 3rd party VPN.

>> >

>> > What options (if any) do we have to ensure a cached user still

>> > requires a password change but can still log on successfully in

>> > cached mode?

>>

>> I don't know of any way to let them both change their password & update

>> their laptops' cached credentials if they aren't in contact with a DC.

>> They

>> can change passwords via OWA (if you enable that) but then they'll have

>> two

>> passwords.

>>

>> Re logging off - the password expiration change shouldn't prompt for a

>> logoff at all - but my comments above still stand.

>>

>> For users who rarely come into contact with a DC except via remote

>> access, I

>> don't join their computers to the domain at all. I don't see the point.

>> They

>> can still use the VPN, still access remote resources, can still use RPC

>> over

>> HTTP, etc. - just my $.02.

>>

>>

>>

>>

 Share
Go to topic listing
×
×
  • Create New...