Password Expiration on non-connected Domain notebooks

Posted on 2013-10-14
Medium Priority
Last Modified: 2013-12-11
We have a MS AD environment with about 250 users.   3 Corporate locations with AD servers in them.    10 more "job sites" with site-to-site VPN tunnels back to the main corporate network using Juniper SSG firewalls, and another 10 job sites whose networks are NOT connected to the corporate office via hardware VPN's.   All users have non-Microsoft VPN software installed on their notebooks, which they use in the event they need access to the corporate network from non-connected job sites or other places.  

We moved exchange out to the cloud 2 years ago (Office 365), and have recently implemented ADFS (Federated Services) to enable single-sign on to the MS-Hosted email, so they are brought back to our Corporate AD environment for email authentication.

Here is our dilemma:

Users who work at job sites WITHOUT site-to-site VPN's run on CACHED CREDENTIALS, so they DO NOT get prompted when their AD PASSWORDS expire.  This causes a problem when their AD passwords expire, because mail won't authenticate.

What are the ways that we can make sure remote users know when their AD passwords expire, and makes it as simple as possible for them to update those passwords.

Best answer gets the points.....
Question by:new435
LVL 22

Assisted Solution

by:Nick Rhode
Nick Rhode earned 150 total points
ID: 39572064
Solutions I am aware of but basically you have a vpn connection before sign-on.

LVL 39

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 150 total points
ID: 39572111
Only method other than VPN I know is to have them use OWA. The problem is, however, with the cached credentials they're using to log on to the laptop.  If the laptops are joined to the domain and the users are logging on with those domain credentials, they will have some conflicts between the credentials for logging on to the laptop and the Office 365 logon.
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 150 total points
ID: 39572910
I have a powershell script that can notify users 1/5/10 days before their password gets expired. It sends a customized email to the user.

You will need to configure a scheduled task to run this script daily on a member server (preferably 2008)  where Powershell AD module is installed (or you can install it through Add features wizard).

Let me know if you want that script.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Accepted Solution

Pankaj_401 earned 150 total points
ID: 39572963
To manage and remember all users whose password is about to expire and so send each of them notification to change/reset their passwords is a very tedious task to administrator, to ease your work you can test any particular tool or a powershell script which is suggested by pramod and for tool you can look at this http://download.cnet.com/Lepide-User-Password-Expiration-Reminder/3000-18501_4-75911499.html

Author Comment

ID: 39591172
Sorry for the slow response guys.   I like the idea of the script, and the email, but I need a complete solution.   I played around with one of my customers that has SBS, and the Remote Web Workplace uses a web browser to log into a user's PC.  I set up a user to change password at next login, and when I tried to log in to RWW, I got PROMPTED to change my password!!!

How can I leverage this RDP-over-the-web technology such that I could include a LINK in that password-expiry email that brings them to a terminal server securely via a web browser?

The only open issue at that point, is that the LOCAL password on the laptop won't be synchronized with the AD password inside the LAN, but the user will be able to get into MAIL, which has become the #1 needed app.

I'd like to close this question and assign points as soon as I can here.

Author Closing Comment

ID: 39712557
I spread out the points. We ended up buying a piece of software to not only send out notifications, but to also provide additional auditing and password reset functionality. Thanks for the replies.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
You have missed a phone call. The number looks like it belongs to the bunch of numbers which your company uses. How to find out who has just called you?
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question