Remote user changed domain password and forgot it! How to change/fix?

Hi Experts. I need a hand because I'm having a brain-malfunction.

One of my work-at-home salesmen changed his password yesterday and promptly forgot it this morning. He's at his home office and can't even log into his laptop now. I can reset his domain account password from the office, but that won't do him any good if he can't even get into his laptop, let alone VPN. I'm drawing a blank on how to resolve this.

User has Win7. DC and Exchange 2010 are on Win2008 R2.
Eric JackIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jhyieslaCommented:
He could always bring it into the office and plug it into the network, but that may not be handy for him to do. If you have a way to remote control to it you could log on as the local admin and reset his password that way.
0
Eric JackIT ManagerAuthor Commented:
Yeah, if coming into the office were an easy option, that would be a snap. However, he'd need to hop a flight to get here, or spend a day in the car.

The possibility exists for remote control as the local admin, but I didn't think there was a way to reset a domain account password locally.
0
jhyieslaCommented:
The laptop caches the credentials. So, if say, you were a laptop user AND had a local office computer attached to AD and changed your AD password using the computer, the laptop wouldn't know about it. So while there's a connection between the cached credentials and AD when the user is connected to the network, there's also a disconnect which keeps him working when he's NOT connected to the network. So, you should be able to get onto the laptop as the local admin and change his "local" password to be the same one as you set up for him in AD.  That should allow him to access the laptop and then he can get on the  VPN and when he's on the VPN, you may want to have him go through whatever your procedure is for resetting his password and change it again and the laptop should then cache the new credentials just like it did the other day.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Eric JackIT ManagerAuthor Commented:
Here's where I'm confused or misunderstanding: When I r-click on Computer and choose Manage, from the Computer Management window, under Local Users and Groups > Users, there is no user listed for his domain account. Only the local Administrator account.

I only see his domain account when looking in Local Users and Groups > Groups, and see that I've added his domain account to the Administrators group.

So I don't see where to temporarily reset his password so he can log into the laptop.
0
Scott CSenior EngineerCommented:
If the above doesn't work or you can't do it, have the user overnight the laptop to you with morning delivery.  Connect to network to resolve and overnight back with morning delivery.

You should be able to get it back to him in 2 days.  Shipping would be costly, but less than the cost of a flight.

Without his laptop for 2 days he'll be more careful in the future.

If you have OWA he should still be able to function from another computer for a couple of days.
0
Eric JackIT ManagerAuthor Commented:
I'm trying to avoid having to ship the laptop. 2 days down is eternity for a salesman who has no access to Act! and his quoting tools. He has email on his smartphone. Of course he blames IT for not allowing him to use the password he wanted (either a repeat of something he's already used or doesn't meet the complexity rules.)

We have OWA, and his smartphone, but that doesn't give him what he needs.

Would having him log in to the laptop as admin, then launching VPN as his domain account wind up syncing the laptop's cached password?
0
Scott CSenior EngineerCommented:
Salesmen are babies.  

Having him log in as Admin might work.  He can establish a VPN connection, you reset his password, then he can "switch user" and maybe get his password synced up.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jhyieslaCommented:
Sorry, hadn't considered that, but yes, you're right his AD account won't be listed if he's not logged on.

Does the VPN stay connected if you log out?

If so, you could log in as local admin and connect to VPN and then log off and have him log on and it might take his new AD password.

Here's another suggestion that I found:

Have the user log on with a local account, make sure the VPN is
connected, then run something (anything, for example Notepad) using "Run
as..." and their domain user account (DOMAIN\user or user@domain.com). That
will update the cached credentials.

If none of this works, you may need to fall back on the other experts suggestion of having him overnight the laptop to you.
0
McKnifeCommented:
With or without a vpn, he can gain access to the notebook by resetting the local administrator password (and activating the account if disabled). That can be done with various bootdisks, one is this http://pogostick.net/~pnh/ntpasswd/
When he has logged in with the local admin and you can start your vpn...(the rest has been already said). If however, you were clever enough to encrypt the notebook, which anyone should do, that bootdisk will fail.

So try that bootdisk. If he's in as administrator, he can access any data on the device, wherever it may be saved to. He can also copy account settings, so that (eventually required) program settings will be copied to accounts you might want to create instead of working with the (unconfigured) admin account.
0
Eric JackIT ManagerAuthor Commented:
@McKnife - There's no need for a boot disk. I know the local administrator password.

@jhyiesla, @ScottCha - Using a combination of your suggestions, I managed to resolve the problem. Here's the steps I used:

1. I logged into ADUC and changed his domain account password to something temporary.
2. Called user, had him log in as local Administrator. I provided him the password. Not a big deal since he's set up as a local admin anyway.
3. Once logged in as Administrator, launch VPN and log in using his domain account with new password.
4. Once VPN connection established, Told him to Ctrl-Alt-Del and Switch User.
5. Log in as domain account with temporary password.
6. Rebooted PC, had him log into PC with domain account (make sure account info was cached.)
7. Once logged in with domain account and temp password, launch VPN, then Ctrl-Alt-Del and Change Password to set his own personal password again.

This did the trick and he's up and running without any overnight shipping involved. Thanks for the help guys. For some reason, my brain just wasn't working this morning.
0
jhyieslaCommented:
You need more expresso or Dew :)

Glad we could help.
0
Scott CSenior EngineerCommented:
Awesome!!!  

That's what we're here for..  It's really cool when a team effort comes up with a fix.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.