[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Change Active Directory Password on PC not connected to the network - is it possible?

Posted on 2011-10-04
8
Medium Priority
?
4,547 Views
Last Modified: 2012-05-12
Hi,

We have a Password Policy on Active Directory where users must change their passwords every 60 days,

What often happens is management might be abroad or away from the Office for long periods and their AD passwords expire while the notebooks are not switched on (as they use their iPads a lot for meetings when away from the Office),

They then switch on the Notebook for what ever reason to work on it while still away from the Office and can then not get into the Notebook because of the expired AD Password.

Logging on locally is possible as we have not disabled any local accounts but because we use folder redirection the user's documents will be in a "hidden" cached location on the Laptop only visible / accessible from the notebook when logged as the user.

How do one get the user logged in or reset his AD password on the Notebook when the notebook is not at the Office? (Even if I can do this by logging in as the local administrator and somehow reset the "cached" ad password on the Laptop so that he can just get in with his AD Account until he is back at the office).

Thanks for any help on this one, I think it should be worth 1000 points :)

Regards,
Reinhard
0
Comment
Question by:ReinhardRensburg
  • 4
  • 3
8 Comments
 

Expert Comment

by:L-Plate
ID: 36909021
Hi,

What client software do your users use to connect in to the network when working remotely?
0
 

Author Comment

by:ReinhardRensburg
ID: 36909047
Hi there L-Plate,

They make use of the Cisco VPN Client and connect with IPSec over TCP port 10,000 to our network, we've got a Cisco ACS in place for the authentication (it talks to AD with LDAP) as well as a Cisco ASA5510 Firewall handling the access rules of the VPN connections.

Thanks,
Reinhard
0
 

Accepted Solution

by:
L-Plate earned 1600 total points
ID: 36909069
We face the same issue in our network - Users work remotely, they use Cisco VPN client software to connect to the corporate network.

after 60 days, the user password in AD will expire on the network. If the user is working remote, ie not in the office, this is the procedure we follow...

1. User powers on laptop and logs in to Windows with old (cached) password.
2. User telephones helpdesk support to have AD password on the network reset.
3. User VPN connects in to the network using the NEW password.
4. This is an important step - we synchronize the AD password change to the laptop (if we dont do this then some apps such as email and web will not connect). Easiest way to synch the change to laptop - after connected to VPN, ctrl, alt, dlt, and choose - lock this computer. Then, ctrl, alt, dlt again, and unlock the computer with the NEW password - This should be enough for the laptop to cache the new password.
5. Disconnect from VPN, restart the laptop.
6. Log back in to Windows AND VPN all with the new password. That should do it.

Our process does still involve a call to the Helpdesk, and I know this is not ideal. I just don't see any other way in which a user can change their domain password when their machine is NOT on the network. But anyway, this is how we deal with this situation.

If somebody has a better way of dealing with this then it would be good for me to hear this also :)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Expert Comment

by:L-Plate
ID: 36909082
just in reply to your last commect, it seems you have a very similar setup to us also.

our clients use VPN client - IPSEC. This terminates to a Cisco ASA 5500.

We also use Cisco ACS for user authentication.

Anyway, check my previous suggestion and please let me know what you think.

in addition, we have also asked remote users to keep a calendar reminder in Outlook to remind them to change password every 45 days.
0
 

Author Comment

by:ReinhardRensburg
ID: 36909116
Hi L-Plate,

This is indeed helpful as I did not know how to sync the new password (once changed on the AD Domain Controller) to the Notebook (after connected to the VPN), so the Ctrl + Alt + Del trick is definitely useful.

One scenario we're still faced with (which happened to my boss while I was on leave) is he could not get logged into his notebook, I assumed afterwards that his password expired and the Notebook didn't want to log him in (but you say that the old password will still work on the Notebook even after it expired on the domain controller), so I guess he then just forgot his password.

In a case like this where a user cannot then get into the Notebook because he for argument's sake forgot his AD password does this mean there's no way of getting into Windows again if it's not connected to the network at that point in time? (L-Plate, I know you are probably also looking for this answer as it sound to me like you've got a similar setup and problem as we've got) - I am hoping some else might have a solution for this "user forgot password" scenario while away from the Office...

Thanks,
Reinhard


0
 

Assisted Solution

by:L-Plate
L-Plate earned 1600 total points
ID: 36909181
hi Reinhard,

The user should still be able to log in to the notebook when remote, even if password in AD has expired. so i guess the user did just forget the password.

we do have a work around for when this happens, but again, it involves the user making a call to the support desk. when they call, we ask them to log in to the notebook as the local admin account - that is - username = pc name\administrator, and then the locally configured admin password. we use the same local admin password on all laptops.

This is a last resort really, but at least we can get the user logged in to the laptop and then we can work from there.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 400 total points
ID: 36909507
You can't change the password unless the DC is there to authenticate the change, however the 'expired' password will can still be used until shuch time as the machine is re-connected to the domain
0
 

Author Comment

by:ReinhardRensburg
ID: 36909645
Hi KCTS,

Thanks, you confirmed my suspicion then,

The golden rule is that a user must not forget his password while away from the Office,

The only other way to then get into the machine would be to login with a local account (if there is one enabled and the user can obtain that password by either knowing it or getting it from his LAN Administrator).

Thanks for your comment above about the expired AD password still being usable while the PC is not connected to a Domain Controller.

Regards,
Reinhard
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question