Solved

Active Directory Password Expiration Notification Across the VPN

Posted on 2012-03-22
25
958 Views
Last Modified: 2012-09-08
Hello EE,

We have users at a remote branch office that are communicating via a Cisco ASA firewall at the branch office to a Cisco ASA firewall at the corporate office via VPN tunnel.  

They are not receiving Active Directory Password Expiration notifications and I am wondering what the best way to allow them to receive these notifications.  It would only be for a select group of users if at all possible so the onces getting notifications don't end up with getting a seoncary.
0
Comment
Question by:bergquistcompany
  • 13
  • 12
25 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You have to check whether the slow link detection which is set at 500kbs by default is leading the systems at the remote location to not load/process the GPO.
Is placing even an RODC not an option?
Do the branch office systems point tot the ad dcvforresolution?
Rsop on the remote system should provide info on whether the gpos are applied. The other issue is whether the GPO is processed at logon or do they apply asynchronously.
0
 

Author Comment

by:bergquistcompany
Comment Utility
The remote office is in another country so the slow link detection could be affecting things.  What happens if this is extended for just that office in GPO?  Will they receive expiration notifications.  I believe what is happening is they boot getting using cached credentials and then when the firewall gives them DNS, DHCP, etc the VPN connection is established so by then the GPO that the password expiration is coming up is beyond the notification time.

With no technicians at the remote office we don't want to put any servers onsite.

All remote systems get DHCP from firewall and communicate back to corporate for GPO but I'm not sure if all those are passed through a VPN tunnel.

I can't access it with RSOP because it says RPC server is unavailable.  I can ping it, but is it because the VPN tunnel between?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The problem is that as long as the slow link detection is seen a GPO will not be processed so I do not think a change on your nd will propagate, but you could try.
I.e use gpupdate to forc the changed gpo retrieved.
Any possibility of remotely setting up a RODC?
Setting up a dc even RODC this will reduce the latency when all Uriel's go through the VPN.
Filesharing might see an improvement n performance.
0
 

Author Comment

by:bergquistcompany
Comment Utility
This branch is in another country so I think you are right with the slow link detection.
There is no possiblity of putting any additional hardware in the office.  It took a while to get a secure firewall to setup the ASA-ASA tunnel.  Before they only used Internet and VPN Client to access corporate.  Thus I'd like to find a way to delay GPO notification or a 3rd party notification for specific users.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
If you visibility via the VPN back to the branch,myou could try adjusting the slow detection rate from 500 to 50 with the knowledge that applying GPO will likely mean that their login times will increase. Remote into one f the workstations and run the gpupdate /force to get the gpos refreshed then see if the behavior changes.
What server do you use for dc, win2k8 or earlier just info for purpose of determining whether you can have per OU password policy or stuck with a single domain wide password policy.
0
 

Author Comment

by:bergquistcompany
Comment Utility
Ok I will try 50.  Server is 2003 Standard
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
2003 password settings can only exist in the default domain policy.
You might have to lower the detection domain wide.

Use gpmc to test, plan the effect if you were to set the lower threshold on the OU, branch of the remote. You could try using the enforce to see if it gets pushed.
0
 

Author Comment

by:bergquistcompany
Comment Utility
Ok I looked it up and have slow link is set to Not Configured.  If I enable this what impact will it have on all users?  Will it help?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Reducing it may lead to the remote branch users to no longer see the link as slow and the gpos will be applied.
Explanation Of what dose and does not get processed if a slow link is detected.
Older version http://support.microsoft.com/kb/227260
Win2k3 http://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx
The user will not be prompted if at the time of login, the VPN was down and the user logged in using the cached credentials.
I.e. the expiration will only show up on login and the dc is detected as being in range.
0
 

Author Comment

by:bergquistcompany
Comment Utility
Will it affect users at the corporate office given they will be part of the GPO?
Has anyone used this slow link?  My concern is given "computer policy is normally processed before the logon screen appears" the networking hasn't been established thus the VPN tunnel link so they still won't get the GPO for password expiration.

I can try it but I'd like to see if others have used this as I am sure others have remote VPN users and have run into this.  If it won't impact other users in the domain I will try it.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The local users are within the 500kbs such that lowering the the limit will have no affect on the local systems.

The major impact on the remote users will be see if you have folder redirection GPO which would not have been applied, but would apply after the change which could have the data in the user's folders to be copied back.
0
 

Author Comment

by:bergquistcompany
Comment Utility
Ok I will give that a try
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:bergquistcompany
Comment Utility
same issue
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
I think the steps you've taken we're after the system reconnected on the LAN and may have purged the data.

Check whether the system was reconfigured to disable offline files which also might explain the disappearance of the previous offline files.  Make sure to check while the system is not on the LAN. Hopefully, you'll be able to view the currently unsynchronized files and take the opportunity to copy them to a drive outside the synch settings I.e. c:\missingfiles

Then when you reconnect the system to the LAN you could copy the ones that have changed.

Use robocopy/xcopy with the option to preserve the time stamps.
0
 

Author Comment

by:bergquistcompany
Comment Utility
Where do I check if disable offline files is configured?  They are all on a domain so shouldn't have any new configuration changes as they all come through GPO even for remote users.

When I connect copy the ones that changed back to the system from the i.e. missing files?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You can disable the offline caching option on the stars themselves under the caching button on the sharing display.
The clients can also be configured vi GPO to disable offline files.
0
 

Author Comment

by:bergquistcompany
Comment Utility
We use GPO so is there a way in GPO to make sure password expiration gets delivered
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Please explain what you mean deliver?
If you have a user's password set to expire and if the user logs in within range of the notification period of upcoming expiry, the user will be alerted and provide an option to change the password.
Cached, out f dc range, GPO does not apply nor does a password policy apply.
0
 

Author Comment

by:bergquistcompany
Comment Utility
that is the problem users are not being notified of the upcoming password expiry and login to find they cannot because the password is already expired.  What is this cached thing I can check as to why they are not getting notified?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
When they login are they on the LAN in the presence of the DC?
Cached means they login on a computer of the LAN where a DC is unavailable.
Without understanding your setup it is difficult to see where you are looking for notification.
You can use vbscript/powershell to notify users of their upcoming password expiration date.
0
 

Author Comment

by:bergquistcompany
Comment Utility
The users are in a branch office with no DC, but it has an ASA which gives DHCP and offers the DNS address of the corporate DC where their ASA tunnels back to corporate.  Thus I believe they are considered cached until networking kicks in and would like a way for them to still get notifications.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Depending on your slow link setting even with the VPN present the connection might be seen as slow and the GPO does not apply. Alternatively, at times the VPN connection is present and the connection is sufficient which applies the GPOs, and enforces the password expiry rule.
A way to solve this is to setup a DC in the branch.
0
 

Author Comment

by:bergquistcompany
Comment Utility
Until then is there any way to notify users?  They are 5 hours off us so getting hit when passwords expires makes for long nights.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
The problem is that if they do not get notice that their password is about to expire means their ability to change password might be an issue as well.
Check what your slow link detection is set to when it applies to systems in the branch OU and lower the threshold from 500kb default to 250kb, then lower until you see GPO consistently applied.
Check the VPN/branch office network usage to make sure it is not being saturated leading to a drop of the VPN.
Best way is to have a DC at the branch which can be a fileserver that may conserve bandwidth.
0
 

Author Closing Comment

by:bergquistcompany
Comment Utility
Great suggestions to look at
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now