I have a client using Windows Small Business Server 2000 who has a number of remote users. These users predominantly have laptop machines, all of which are on the SBS Windows 2000 domain, the users logging into their machines using a cached domain profile, and connecting to the office LAN over VPN (currently a Linux-based Smoothwall implementation, soon to be Cisco PIX). They authenticate to the VPN using signed certificates and then authenticate to Windows resources on the LAN using the credentials cached when they logged onto the laptop.
Currently the users have static passwords, i.e. password expiry is NOT enabled on the domain. The client wants to move to a more secure environment, in other words to enable password expiry, but in the past I have had problems when the domain account password expired and the machines were remote; the user would be able to log into the laptop (as it was off the LAN, the machine was unaware of the expired pw) and connect to the VPN, but then there would be a password mismatch and the user would be unable to get to networked resources. All of this would happen in quite an ugly way, in other words no nice dialogue popping up telling the user that their pw had expired and they needed to change it.
So I guess my question is, how can this be achieved without the aforementioned ugliness? I can't put that in as a solution as the users wouldn't be able to handle it.