Remote user changed domain password and forgot it! How to change/fix?
Hi Experts. I need a hand because I'm having a brain-malfunction.
One of my work-at-home salesmen changed his password yesterday and promptly forgot it this morning. He's at his home office and can't even log into his laptop now. I can reset his domain account password from the office, but that won't do him any good if he can't even get into his laptop, let alone VPN. I'm drawing a blank on how to resolve this.
User has Win7. DC and Exchange 2010 are on Win2008 R2.
One of my work-at-home salesmen changed his password yesterday and promptly forgot it this morning. He's at his home office and can't even log into his laptop now. I can reset his domain account password from the office, but that won't do him any good if he can't even get into his laptop, let alone VPN. I'm drawing a blank on how to resolve this.
User has Win7. DC and Exchange 2010 are on Win2008 R2.
jhyiesla
He could always bring it into the office and plug it into the network, but that may not be handy for him to do. If you have a way to remote control to it you could log on as the local admin and reset his password that way.
ASKER
Yeah, if coming into the office were an easy option, that would be a snap. However, he'd need to hop a flight to get here, or spend a day in the car.
The possibility exists for remote control as the local admin, but I didn't think there was a way to reset a domain account password locally.
The possibility exists for remote control as the local admin, but I didn't think there was a way to reset a domain account password locally.
The laptop caches the credentials. So, if say, you were a laptop user AND had a local office computer attached to AD and changed your AD password using the computer, the laptop wouldn't know about it. So while there's a connection between the cached credentials and AD when the user is connected to the network, there's also a disconnect which keeps him working when he's NOT connected to the network. So, you should be able to get onto the laptop as the local admin and change his "local" password to be the same one as you set up for him in AD. That should allow him to access the laptop and then he can get on the VPN and when he's on the VPN, you may want to have him go through whatever your procedure is for resetting his password and change it again and the laptop should then cache the new credentials just like it did the other day.
ASKER
Here's where I'm confused or misunderstanding: When I r-click on Computer and choose Manage, from the Computer Management window, under Local Users and Groups > Users, there is no user listed for his domain account. Only the local Administrator account.
I only see his domain account when looking in Local Users and Groups > Groups, and see that I've added his domain account to the Administrators group.
So I don't see where to temporarily reset his password so he can log into the laptop.
I only see his domain account when looking in Local Users and Groups > Groups, and see that I've added his domain account to the Administrators group.
So I don't see where to temporarily reset his password so he can log into the laptop.
If the above doesn't work or you can't do it, have the user overnight the laptop to you with morning delivery. Connect to network to resolve and overnight back with morning delivery.
You should be able to get it back to him in 2 days. Shipping would be costly, but less than the cost of a flight.
Without his laptop for 2 days he'll be more careful in the future.
If you have OWA he should still be able to function from another computer for a couple of days.
You should be able to get it back to him in 2 days. Shipping would be costly, but less than the cost of a flight.
Without his laptop for 2 days he'll be more careful in the future.
If you have OWA he should still be able to function from another computer for a couple of days.
ASKER
I'm trying to avoid having to ship the laptop. 2 days down is eternity for a salesman who has no access to Act! and his quoting tools. He has email on his smartphone. Of course he blames IT for not allowing him to use the password he wanted (either a repeat of something he's already used or doesn't meet the complexity rules.)
We have OWA, and his smartphone, but that doesn't give him what he needs.
Would having him log in to the laptop as admin, then launching VPN as his domain account wind up syncing the laptop's cached password?
We have OWA, and his smartphone, but that doesn't give him what he needs.
Would having him log in to the laptop as admin, then launching VPN as his domain account wind up syncing the laptop's cached password?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
With or without a vpn, he can gain access to the notebook by resetting the local administrator password (and activating the account if disabled). That can be done with various bootdisks, one is this http://pogostick.net/~pnh/ntpasswd/
When he has logged in with the local admin and you can start your vpn...(the rest has been already said). If however, you were clever enough to encrypt the notebook, which anyone should do, that bootdisk will fail.
So try that bootdisk. If he's in as administrator, he can access any data on the device, wherever it may be saved to. He can also copy account settings, so that (eventually required) program settings will be copied to accounts you might want to create instead of working with the (unconfigured) admin account.
When he has logged in with the local admin and you can start your vpn...(the rest has been already said). If however, you were clever enough to encrypt the notebook, which anyone should do, that bootdisk will fail.
So try that bootdisk. If he's in as administrator, he can access any data on the device, wherever it may be saved to. He can also copy account settings, so that (eventually required) program settings will be copied to accounts you might want to create instead of working with the (unconfigured) admin account.
ASKER
@McKnife - There's no need for a boot disk. I know the local administrator password.
@jhyiesla, @ScottCha - Using a combination of your suggestions, I managed to resolve the problem. Here's the steps I used:
1. I logged into ADUC and changed his domain account password to something temporary.
2. Called user, had him log in as local Administrator. I provided him the password. Not a big deal since he's set up as a local admin anyway.
3. Once logged in as Administrator, launch VPN and log in using his domain account with new password.
4. Once VPN connection established, Told him to Ctrl-Alt-Del and Switch User.
5. Log in as domain account with temporary password.
6. Rebooted PC, had him log into PC with domain account (make sure account info was cached.)
7. Once logged in with domain account and temp password, launch VPN, then Ctrl-Alt-Del and Change Password to set his own personal password again.
This did the trick and he's up and running without any overnight shipping involved. Thanks for the help guys. For some reason, my brain just wasn't working this morning.
@jhyiesla, @ScottCha - Using a combination of your suggestions, I managed to resolve the problem. Here's the steps I used:
1. I logged into ADUC and changed his domain account password to something temporary.
2. Called user, had him log in as local Administrator. I provided him the password. Not a big deal since he's set up as a local admin anyway.
3. Once logged in as Administrator, launch VPN and log in using his domain account with new password.
4. Once VPN connection established, Told him to Ctrl-Alt-Del and Switch User.
5. Log in as domain account with temporary password.
6. Rebooted PC, had him log into PC with domain account (make sure account info was cached.)
7. Once logged in with domain account and temp password, launch VPN, then Ctrl-Alt-Del and Change Password to set his own personal password again.
This did the trick and he's up and running without any overnight shipping involved. Thanks for the help guys. For some reason, my brain just wasn't working this morning.
You need more expresso or Dew :)
Glad we could help.
Glad we could help.
Awesome!!!
That's what we're here for.. It's really cool when a team effort comes up with a fix.
That's what we're here for.. It's really cool when a team effort comes up with a fix.