Password Expiration on non-connected Domain notebooks

We have a MS AD environment with about 250 users.   3 Corporate locations with AD servers in them.    10 more "job sites" with site-to-site VPN tunnels back to the main corporate network using Juniper SSG firewalls, and another 10 job sites whose networks are NOT connected to the corporate office via hardware VPN's.   All users have non-Microsoft VPN software installed on their notebooks, which they use in the event they need access to the corporate network from non-connected job sites or other places.  

We moved exchange out to the cloud 2 years ago (Office 365), and have recently implemented ADFS (Federated Services) to enable single-sign on to the MS-Hosted email, so they are brought back to our Corporate AD environment for email authentication.

Here is our dilemma:

Users who work at job sites WITHOUT site-to-site VPN's run on CACHED CREDENTIALS, so they DO NOT get prompted when their AD PASSWORDS expire.  This causes a problem when their AD passwords expire, because mail won't authenticate.

What are the ways that we can make sure remote users know when their AD passwords expire, and makes it as simple as possible for them to update those passwords.

Best answer gets the points.....
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nick RhodeIT DirectorCommented:
Solutions I am aware of but basically you have a vpn connection before sign-on.
Hypercat (Deb)Commented:
Only method other than VPN I know is to have them use OWA. The problem is, however, with the cached credentials they're using to log on to the laptop.  If the laptops are joined to the domain and the users are logging on with those domain credentials, they will have some conflicts between the credentials for logging on to the laptop and the Office 365 logon.
Pramod UbheCommented:
I have a powershell script that can notify users 1/5/10 days before their password gets expired. It sends a customized email to the user.

You will need to configure a scheduled task to run this script daily on a member server (preferably 2008)  where Powershell AD module is installed (or you can install it through Add features wizard).

Let me know if you want that script.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

To manage and remember all users whose password is about to expire and so send each of them notification to change/reset their passwords is a very tedious task to administrator, to ease your work you can test any particular tool or a powershell script which is suggested by pramod and for tool you can look at this

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
new435Author Commented:
Sorry for the slow response guys.   I like the idea of the script, and the email, but I need a complete solution.   I played around with one of my customers that has SBS, and the Remote Web Workplace uses a web browser to log into a user's PC.  I set up a user to change password at next login, and when I tried to log in to RWW, I got PROMPTED to change my password!!!

How can I leverage this RDP-over-the-web technology such that I could include a LINK in that password-expiry email that brings them to a terminal server securely via a web browser?

The only open issue at that point, is that the LOCAL password on the laptop won't be synchronized with the AD password inside the LAN, but the user will be able to get into MAIL, which has become the #1 needed app.

I'd like to close this question and assign points as soon as I can here.
new435Author Commented:
I spread out the points. We ended up buying a piece of software to not only send out notifications, but to also provide additional auditing and password reset functionality. Thanks for the replies.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.