Our domain password policy enforces a change every 90 days. Our password policy also states that we (IT) shouldn't even know the user's passwords -- we're a health care facility, so it's a HIPAA thing.
It's not a problem for most users, but we have a couple of users who are telecommuters -- they connect to the VPN and work via RDP. When their password expires, they can't connect to the VPN anymore and therefore can't log to change it. And from the experiments that I've done, connecting to a machine via RDP wouldn't work to change your password anyway, you have to be logging in locally to a domain machine. We even tried using Webex and letting them take control to type a new password into the ADUC console, but Webex is apparently too secure for that because it won't allow them to type in the password fields -- they can type anywhere else, just not in those fields.
There must be a way to support this, as there are a lot of remote employees in the workforce today. Any ideas on how we can do this and stay within our policy?