Change Active Directory Password on PC not connected to the network - is it possible?
Hi,
We have a Password Policy on Active Directory where users must change their passwords every 60 days,
What often happens is management might be abroad or away from the Office for long periods and their AD passwords expire while the notebooks are not switched on (as they use their iPads a lot for meetings when away from the Office),
They then switch on the Notebook for what ever reason to work on it while still away from the Office and can then not get into the Notebook because of the expired AD Password.
Logging on locally is possible as we have not disabled any local accounts but because we use folder redirection the user's documents will be in a "hidden" cached location on the Laptop only visible / accessible from the notebook when logged as the user.
How do one get the user logged in or reset his AD password on the Notebook when the notebook is not at the Office? (Even if I can do this by logging in as the local administrator and somehow reset the "cached" ad password on the Laptop so that he can just get in with his AD Account until he is back at the office).
Thanks for any help on this one, I think it should be worth 1000 points :)
Regards,
Reinhard
We have a Password Policy on Active Directory where users must change their passwords every 60 days,
What often happens is management might be abroad or away from the Office for long periods and their AD passwords expire while the notebooks are not switched on (as they use their iPads a lot for meetings when away from the Office),
They then switch on the Notebook for what ever reason to work on it while still away from the Office and can then not get into the Notebook because of the expired AD Password.
Logging on locally is possible as we have not disabled any local accounts but because we use folder redirection the user's documents will be in a "hidden" cached location on the Laptop only visible / accessible from the notebook when logged as the user.
How do one get the user logged in or reset his AD password on the Notebook when the notebook is not at the Office? (Even if I can do this by logging in as the local administrator and somehow reset the "cached" ad password on the Laptop so that he can just get in with his AD Account until he is back at the office).
Thanks for any help on this one, I think it should be worth 1000 points :)
Regards,
Reinhard
ASKER
Hi there L-Plate,
They make use of the Cisco VPN Client and connect with IPSec over TCP port 10,000 to our network, we've got a Cisco ACS in place for the authentication (it talks to AD with LDAP) as well as a Cisco ASA5510 Firewall handling the access rules of the VPN connections.
Thanks,
Reinhard
They make use of the Cisco VPN Client and connect with IPSec over TCP port 10,000 to our network, we've got a Cisco ACS in place for the authentication (it talks to AD with LDAP) as well as a Cisco ASA5510 Firewall handling the access rules of the VPN connections.
Thanks,
Reinhard
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
just in reply to your last commect, it seems you have a very similar setup to us also.
our clients use VPN client - IPSEC. This terminates to a Cisco ASA 5500.
We also use Cisco ACS for user authentication.
Anyway, check my previous suggestion and please let me know what you think.
in addition, we have also asked remote users to keep a calendar reminder in Outlook to remind them to change password every 45 days.
our clients use VPN client - IPSEC. This terminates to a Cisco ASA 5500.
We also use Cisco ACS for user authentication.
Anyway, check my previous suggestion and please let me know what you think.
in addition, we have also asked remote users to keep a calendar reminder in Outlook to remind them to change password every 45 days.
ASKER
Hi L-Plate,
This is indeed helpful as I did not know how to sync the new password (once changed on the AD Domain Controller) to the Notebook (after connected to the VPN), so the Ctrl + Alt + Del trick is definitely useful.
One scenario we're still faced with (which happened to my boss while I was on leave) is he could not get logged into his notebook, I assumed afterwards that his password expired and the Notebook didn't want to log him in (but you say that the old password will still work on the Notebook even after it expired on the domain controller), so I guess he then just forgot his password.
In a case like this where a user cannot then get into the Notebook because he for argument's sake forgot his AD password does this mean there's no way of getting into Windows again if it's not connected to the network at that point in time? (L-Plate, I know you are probably also looking for this answer as it sound to me like you've got a similar setup and problem as we've got) - I am hoping some else might have a solution for this "user forgot password" scenario while away from the Office...
Thanks,
Reinhard
This is indeed helpful as I did not know how to sync the new password (once changed on the AD Domain Controller) to the Notebook (after connected to the VPN), so the Ctrl + Alt + Del trick is definitely useful.
One scenario we're still faced with (which happened to my boss while I was on leave) is he could not get logged into his notebook, I assumed afterwards that his password expired and the Notebook didn't want to log him in (but you say that the old password will still work on the Notebook even after it expired on the domain controller), so I guess he then just forgot his password.
In a case like this where a user cannot then get into the Notebook because he for argument's sake forgot his AD password does this mean there's no way of getting into Windows again if it's not connected to the network at that point in time? (L-Plate, I know you are probably also looking for this answer as it sound to me like you've got a similar setup and problem as we've got) - I am hoping some else might have a solution for this "user forgot password" scenario while away from the Office...
Thanks,
Reinhard
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi KCTS,
Thanks, you confirmed my suspicion then,
The golden rule is that a user must not forget his password while away from the Office,
The only other way to then get into the machine would be to login with a local account (if there is one enabled and the user can obtain that password by either knowing it or getting it from his LAN Administrator).
Thanks for your comment above about the expired AD password still being usable while the PC is not connected to a Domain Controller.
Regards,
Reinhard
Thanks, you confirmed my suspicion then,
The golden rule is that a user must not forget his password while away from the Office,
The only other way to then get into the machine would be to login with a local account (if there is one enabled and the user can obtain that password by either knowing it or getting it from his LAN Administrator).
Thanks for your comment above about the expired AD password still being usable while the PC is not connected to a Domain Controller.
Regards,
Reinhard
What client software do your users use to connect in to the network when working remotely?