Password Policy + Cached user

  • Thread starter Thread starter FL
  • Start date Start date
F

FL

Guest
We have some users who mainly work on the road and rarely come into the
office. The user logs in cached and then will vpn to the office if required
for network files, etc... Mail is connected via Outlook RPC.

If we enable password policy for these users, they will get a message after
they run a vpn connection to the office that the password will need to be
changed but can't log off and log in as their VPN will drop. We are not
using the Microsoft VPN so selecting the "Logon Using Dial-Up Connection"
doesn't work with 3rd party VPN.

What options (if any) do we have to ensure a cached user still requires a
password change but can still log on successfully in cached mode?
 
Re: Password Policy + Cached user

FL <FL@discussions.microsoft.com> wrote:
> We have some users who mainly work on the road and rarely come into
> the office. The user logs in cached and then will vpn to the office
> if required for network files, etc... Mail is connected via Outlook
> RPC.
>
> If we enable password policy for these users, they will get a message
> after they run a vpn connection to the office that the password will
> need to be changed but can't log off and log in as their VPN will
> drop. We are not using the Microsoft VPN so selecting the "Logon
> Using Dial-Up Connection" doesn't work with 3rd party VPN.
>
> What options (if any) do we have to ensure a cached user still
> requires a password change but can still log on successfully in
> cached mode?

I don't know of any way to let them both change their password & update
their laptops' cached credentials if they aren't in contact with a DC. They
can change passwords via OWA (if you enable that) but then they'll have two
passwords.

Re logging off - the password expiration change shouldn't prompt for a
logoff at all - but my comments above still stand.

For users who rarely come into contact with a DC except via remote access, I
don't join their computers to the domain at all. I don't see the point. They
can still use the VPN, still access remote resources, can still use RPC over
HTTP, etc. - just my $.02.
 
Re: Password Policy + Cached user

Newer OSes will ask the user to simply lock, and unlock the session with the
new password. For instance, if I am logged into 2 nodes and I change the
domain password with one node the other node, after a period of time will
say to lock and unlock in the taskbar. Not sure if this will help.

"FL" <FL@discussions.microsoft.com> wrote in message
news:6D661874-5B36-487F-9023-F3ACE036CF0E@microsoft.com...
> We have some users who mainly work on the road and rarely come into the
> office. The user logs in cached and then will vpn to the office if
> required
> for network files, etc... Mail is connected via Outlook RPC.
>
> If we enable password policy for these users, they will get a message
> after
> they run a vpn connection to the office that the password will need to be
> changed but can't log off and log in as their VPN will drop. We are not
> using the Microsoft VPN so selecting the "Logon Using Dial-Up Connection"
> doesn't work with 3rd party VPN.
>
> What options (if any) do we have to ensure a cached user still requires a
> password change but can still log on successfully in cached mode?
 
Re: Password Policy + Cached user

We put the machines on the domain so that the users have access to folders
and drives after the VPN is connected and machines are restricted (gp
lockdown, etc..). We could leave them in a workgroup but then we have to map
drives with users name/passwords, etc and it gets a little ugly since they
run apps that require network services. The users are running Windows XP.
This would be no different than a laptop user who travells frequently and
will only come into the office 1 every couple of months. The problem is
the user could change the password once they are connected via VPN but upon
the next reboot, they can't log in as they have never logged in cached with
their new password (this is from a test we did). In this example, the user
could not log in with the old or new password. Once they brought the pc in
to the office, it connected no problem and log in cached with the new
password.

"Lanwench [MVP - Exchange]" wrote:

> FL <FL@discussions.microsoft.com> wrote:
> > We have some users who mainly work on the road and rarely come into
> > the office. The user logs in cached and then will vpn to the office
> > if required for network files, etc... Mail is connected via Outlook
> > RPC.
> >
> > If we enable password policy for these users, they will get a message
> > after they run a vpn connection to the office that the password will
> > need to be changed but can't log off and log in as their VPN will
> > drop. We are not using the Microsoft VPN so selecting the "Logon
> > Using Dial-Up Connection" doesn't work with 3rd party VPN.
> >
> > What options (if any) do we have to ensure a cached user still
> > requires a password change but can still log on successfully in
> > cached mode?
>
> I don't know of any way to let them both change their password & update
> their laptops' cached credentials if they aren't in contact with a DC. They
> can change passwords via OWA (if you enable that) but then they'll have two
> passwords.
>
> Re logging off - the password expiration change shouldn't prompt for a
> logoff at all - but my comments above still stand.
>
> For users who rarely come into contact with a DC except via remote access, I
> don't join their computers to the domain at all. I don't see the point. They
> can still use the VPN, still access remote resources, can still use RPC over
> HTTP, etc. - just my $.02.
>
>
>
>
 
Re: Password Policy + Cached user

You may be able to get them to change their password, then lock and unlock
their node to pull in the new credentials while on the wire. I haven't tried
this yet, but theoretically, it should work. We have moved to a MSGINA setup
for VPNs in most cases however, so we don't have that problem any more.

Harry Bates



"FL" <FL@discussions.microsoft.com> wrote in message
news:9E450FE3-5DB7-4005-9FC7-A09AA5121877@microsoft.com...
> We put the machines on the domain so that the users have access to folders
> and drives after the VPN is connected and machines are restricted (gp
> lockdown, etc..). We could leave them in a workgroup but then we have to
> map
> drives with users name/passwords, etc and it gets a little ugly since they
> run apps that require network services. The users are running Windows XP.
> This would be no different than a laptop user who travells frequently and
> will only come into the office 1 every couple of months. The problem is
> the user could change the password once they are connected via VPN but
> upon
> the next reboot, they can't log in as they have never logged in cached
> with
> their new password (this is from a test we did). In this example, the
> user
> could not log in with the old or new password. Once they brought the pc
> in
> to the office, it connected no problem and log in cached with the new
> password.
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> FL <FL@discussions.microsoft.com> wrote:
>> > We have some users who mainly work on the road and rarely come into
>> > the office. The user logs in cached and then will vpn to the office
>> > if required for network files, etc... Mail is connected via Outlook
>> > RPC.
>> >
>> > If we enable password policy for these users, they will get a message
>> > after they run a vpn connection to the office that the password will
>> > need to be changed but can't log off and log in as their VPN will
>> > drop. We are not using the Microsoft VPN so selecting the "Logon
>> > Using Dial-Up Connection" doesn't work with 3rd party VPN.
>> >
>> > What options (if any) do we have to ensure a cached user still
>> > requires a password change but can still log on successfully in
>> > cached mode?
>>
>> I don't know of any way to let them both change their password & update
>> their laptops' cached credentials if they aren't in contact with a DC.
>> They
>> can change passwords via OWA (if you enable that) but then they'll have
>> two
>> passwords.
>>
>> Re logging off - the password expiration change shouldn't prompt for a
>> logoff at all - but my comments above still stand.
>>
>> For users who rarely come into contact with a DC except via remote
>> access, I
>> don't join their computers to the domain at all. I don't see the point.
>> They
>> can still use the VPN, still access remote resources, can still use RPC
>> over
>> HTTP, etc. - just my $.02.
>>
>>
>>
>>
 
Back
Top