Active Directory Password Expiration Notification Across the VPN

Hello EE,

We have users at a remote branch office that are communicating via a Cisco ASA firewall at the branch office to a Cisco ASA firewall at the corporate office via VPN tunnel.  

They are not receiving Active Directory Password Expiration notifications and I am wondering what the best way to allow them to receive these notifications.  It would only be for a select group of users if at all possible so the onces getting notifications don't end up with getting a seoncary.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You have to check whether the slow link detection which is set at 500kbs by default is leading the systems at the remote location to not load/process the GPO.
Is placing even an RODC not an option?
Do the branch office systems point tot the ad dcvforresolution?
Rsop on the remote system should provide info on whether the gpos are applied. The other issue is whether the GPO is processed at logon or do they apply asynchronously.
bergquistcompanyAuthor Commented:
The remote office is in another country so the slow link detection could be affecting things.  What happens if this is extended for just that office in GPO?  Will they receive expiration notifications.  I believe what is happening is they boot getting using cached credentials and then when the firewall gives them DNS, DHCP, etc the VPN connection is established so by then the GPO that the password expiration is coming up is beyond the notification time.

With no technicians at the remote office we don't want to put any servers onsite.

All remote systems get DHCP from firewall and communicate back to corporate for GPO but I'm not sure if all those are passed through a VPN tunnel.

I can't access it with RSOP because it says RPC server is unavailable.  I can ping it, but is it because the VPN tunnel between?
The problem is that as long as the slow link detection is seen a GPO will not be processed so I do not think a change on your nd will propagate, but you could try.
I.e use gpupdate to forc the changed gpo retrieved.
Any possibility of remotely setting up a RODC?
Setting up a dc even RODC this will reduce the latency when all Uriel's go through the VPN.
Filesharing might see an improvement n performance.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

bergquistcompanyAuthor Commented:
This branch is in another country so I think you are right with the slow link detection.
There is no possiblity of putting any additional hardware in the office.  It took a while to get a secure firewall to setup the ASA-ASA tunnel.  Before they only used Internet and VPN Client to access corporate.  Thus I'd like to find a way to delay GPO notification or a 3rd party notification for specific users.
If you visibility via the VPN back to the branch,myou could try adjusting the slow detection rate from 500 to 50 with the knowledge that applying GPO will likely mean that their login times will increase. Remote into one f the workstations and run the gpupdate /force to get the gpos refreshed then see if the behavior changes.
What server do you use for dc, win2k8 or earlier just info for purpose of determining whether you can have per OU password policy or stuck with a single domain wide password policy.
bergquistcompanyAuthor Commented:
Ok I will try 50.  Server is 2003 Standard
2003 password settings can only exist in the default domain policy.
You might have to lower the detection domain wide.

Use gpmc to test, plan the effect if you were to set the lower threshold on the OU, branch of the remote. You could try using the enforce to see if it gets pushed.
bergquistcompanyAuthor Commented:
Ok I looked it up and have slow link is set to Not Configured.  If I enable this what impact will it have on all users?  Will it help?
Reducing it may lead to the remote branch users to no longer see the link as slow and the gpos will be applied.
Explanation Of what dose and does not get processed if a slow link is detected.
Older version
The user will not be prompted if at the time of login, the VPN was down and the user logged in using the cached credentials.
I.e. the expiration will only show up on login and the dc is detected as being in range.
bergquistcompanyAuthor Commented:
Will it affect users at the corporate office given they will be part of the GPO?
Has anyone used this slow link?  My concern is given "computer policy is normally processed before the logon screen appears" the networking hasn't been established thus the VPN tunnel link so they still won't get the GPO for password expiration.

I can try it but I'd like to see if others have used this as I am sure others have remote VPN users and have run into this.  If it won't impact other users in the domain I will try it.
The local users are within the 500kbs such that lowering the the limit will have no affect on the local systems.

The major impact on the remote users will be see if you have folder redirection GPO which would not have been applied, but would apply after the change which could have the data in the user's folders to be copied back.
bergquistcompanyAuthor Commented:
Ok I will give that a try
bergquistcompanyAuthor Commented:
same issue
I think the steps you've taken we're after the system reconnected on the LAN and may have purged the data.

Check whether the system was reconfigured to disable offline files which also might explain the disappearance of the previous offline files.  Make sure to check while the system is not on the LAN. Hopefully, you'll be able to view the currently unsynchronized files and take the opportunity to copy them to a drive outside the synch settings I.e. c:\missingfiles

Then when you reconnect the system to the LAN you could copy the ones that have changed.

Use robocopy/xcopy with the option to preserve the time stamps.
bergquistcompanyAuthor Commented:
Where do I check if disable offline files is configured?  They are all on a domain so shouldn't have any new configuration changes as they all come through GPO even for remote users.

When I connect copy the ones that changed back to the system from the i.e. missing files?
You can disable the offline caching option on the stars themselves under the caching button on the sharing display.
The clients can also be configured vi GPO to disable offline files.
bergquistcompanyAuthor Commented:
We use GPO so is there a way in GPO to make sure password expiration gets delivered
Please explain what you mean deliver?
If you have a user's password set to expire and if the user logs in within range of the notification period of upcoming expiry, the user will be alerted and provide an option to change the password.
Cached, out f dc range, GPO does not apply nor does a password policy apply.
bergquistcompanyAuthor Commented:
that is the problem users are not being notified of the upcoming password expiry and login to find they cannot because the password is already expired.  What is this cached thing I can check as to why they are not getting notified?
When they login are they on the LAN in the presence of the DC?
Cached means they login on a computer of the LAN where a DC is unavailable.
Without understanding your setup it is difficult to see where you are looking for notification.
You can use vbscript/powershell to notify users of their upcoming password expiration date.
bergquistcompanyAuthor Commented:
The users are in a branch office with no DC, but it has an ASA which gives DHCP and offers the DNS address of the corporate DC where their ASA tunnels back to corporate.  Thus I believe they are considered cached until networking kicks in and would like a way for them to still get notifications.
Depending on your slow link setting even with the VPN present the connection might be seen as slow and the GPO does not apply. Alternatively, at times the VPN connection is present and the connection is sufficient which applies the GPOs, and enforces the password expiry rule.
A way to solve this is to setup a DC in the branch.
bergquistcompanyAuthor Commented:
Until then is there any way to notify users?  They are 5 hours off us so getting hit when passwords expires makes for long nights.
The problem is that if they do not get notice that their password is about to expire means their ability to change password might be an issue as well.
Check what your slow link detection is set to when it applies to systems in the branch OU and lower the threshold from 500kb default to 250kb, then lower until you see GPO consistently applied.
Check the VPN/branch office network usage to make sure it is not being saturated leading to a drop of the VPN.
Best way is to have a DC at the branch which can be a fileserver that may conserve bandwidth.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bergquistcompanyAuthor Commented:
Great suggestions to look at
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.