Kevin Staley
asked on
Changing user password via VPN
When it comes time for users to change their domain passwords, all users on the LAN or connecting to it via
our WAN have no problems doing so. We have a dozen or more remote users. Those that connect via a VPN/
Firewall appliance that establishes a tunnel to our LAN usually have no problems too. However, a handful of users
connect to our LAN via VPN software that runs on their laptops. These users always have problems and have to
eventually come in to one of our locations connected via WAN or LAN to change the password on their laptops.
They all have entries in their hosts file for all of our servers. When they try to change their password (open the
Windows Security window and click on the "change password" button) it eventually times out with an error to
the effect that the domain controller is not available (even though they have established a VPN connection and
can ping the DC on our LAN). Is there any remedy for this situation?
Thanks,
Kevin
our WAN have no problems doing so. We have a dozen or more remote users. Those that connect via a VPN/
Firewall appliance that establishes a tunnel to our LAN usually have no problems too. However, a handful of users
connect to our LAN via VPN software that runs on their laptops. These users always have problems and have to
eventually come in to one of our locations connected via WAN or LAN to change the password on their laptops.
They all have entries in their hosts file for all of our servers. When they try to change their password (open the
Windows Security window and click on the "change password" button) it eventually times out with an error to
the effect that the domain controller is not available (even though they have established a VPN connection and
can ping the DC on our LAN). Is there any remedy for this situation?
Thanks,
Kevin
You say that they can ping the DC but do they authenticate first before trying to change their password? Obviously if their password has already expired they cannot do that but lets just say the password has yet to expire in this case...
ASKER
Would they "authenticate first" by logging off Windows with an active VPN connection and then logging back in?
I know that the Cisco VPN client has an option to launch before they login. In that case yes they would be authenticated. It also has the option to keep the keep the VPNC connection established if you logoff. So in that case if you logon, connect via VPN, logoff then log back in then yes you would be authenticated. Any easy way to authenticate would be to UNC to the DC...
\\DC01 <--- put that in the address bar in Internet Explorer and hit enter it will prompt you to authenticate if you aren't already (DC being the name of your domain controller)
\\DC01 <--- put that in the address bar in Internet Explorer and hit enter it will prompt you to authenticate if you aren't already (DC being the name of your domain controller)
ASKER
We are using Netscreen with the Juniper Remote access client VPN software. I'll have to look around in it to see if it has
an option to keep the VPN connection established during logoff. I'll try the tip on putting in the UNC to the DC in IE (I feel
like I should break into the "Old McDonald had a farm" song :-) I will try this sometime tonight from home with my
laptop (I have already changed my password on my desktop on the LAN, but have not logged in while connected via
VPN to the domain from my laptop, so I still log into my laptop with my previous password).
an option to keep the VPN connection established during logoff. I'll try the tip on putting in the UNC to the DC in IE (I feel
like I should break into the "Old McDonald had a farm" song :-) I will try this sometime tonight from home with my
laptop (I have already changed my password on my desktop on the LAN, but have not logged in while connected via
VPN to the domain from my laptop, so I still log into my laptop with my previous password).
Let me know how that goes. I will be up running an offline defrag on some information stores anyway...
ASKER
Will do. All the best with the defrags (I've done that a few times).
ASKER
Here's what I found out. Using the UNC tip I was prompted to enter my username and password. That allowed me
to browse folders etc. on the DC. However, I tried changing my password and got the same "domain not available."
So, I had the bright idea to put a copy of an LMHOSTS file (I updated one I had deployed years ago to reflect the
new servers etc.) in my \%windir%\system32\drivers \etc folder. I did an nbtstat -R, followed by an nbtstat -c (per
an article on MS support site). I then tried to change my password and it gave me an error message about the format
of the password (I really did not want to change my password again). So, I decided to try logging off Windows with
my VPN active and log back in using my new (changed a week ago on my desktop on the LAN) password (I tried this
before the LMHOSTS file and it did not work), and it worked! I am using the default Netbios/TCPIP setting for the
network adapter I use in my laptop at home, so I wonder if I changed it to Netbios over TCPIP if that would have
accomplished the same thing without having to use an LMHOSTS file? (I also had and still have the LMHOSTS file
lookup enabled in the WINS options for the network adapter).
to browse folders etc. on the DC. However, I tried changing my password and got the same "domain not available."
So, I had the bright idea to put a copy of an LMHOSTS file (I updated one I had deployed years ago to reflect the
new servers etc.) in my \%windir%\system32\drivers
an article on MS support site). I then tried to change my password and it gave me an error message about the format
of the password (I really did not want to change my password again). So, I decided to try logging off Windows with
my VPN active and log back in using my new (changed a week ago on my desktop on the LAN) password (I tried this
before the LMHOSTS file and it did not work), and it worked! I am using the default Netbios/TCPIP setting for the
network adapter I use in my laptop at home, so I wonder if I changed it to Netbios over TCPIP if that would have
accomplished the same thing without having to use an LMHOSTS file? (I also had and still have the LMHOSTS file
lookup enabled in the WINS options for the network adapter).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.