Link to home
Start Free TrialLog in
Avatar of tjie
tjieFlag for United States of America

asked on

While a user in VPN, he can not reset his password

Hi,

It is a Window 10, office 365 and Server 2019 environment.
The Goal: The company want the remote users are able to reset password by him or her self.

All are given the permission in the VPN – Security Group at the Domain Controller.

We used the Global Protect for the VPN software.

I am a domain administrator in the Boba.com (my user name is Lwhite) (Complete name: Linda White)
 
I have an issue in one of the Remote computer (or remote user). It is used by a user called jblack (John Black).
 
I remote to Jblack’s computer and successfully installed the “Global Protect” (The VPN software).; then jblack can login to VPN successfully (using his credential).
 
The problem: When Jblack is in VPN, he needs to reset his password. He did executing CTRL + ALT + Del; but it failed.

The things that I do: I go to command prompt (Using jblack profile) and force the Group Policy; I used the gpupdate /force; but I can not update the policy.

Any help please.

Thanks,
Tjie
 
Avatar of FOX
FOX
Flag of United States of America image

Is he in to his computer via VPN and remote desktop?  If so while his connected to the remote computer have him:
CTRL +ALT +END

Try that
Please confirm the password you want to reset is the domain password and have it propagate to the laptop?

Does the VPN client you are using provides support to establish the VPN prior to the user login?

Test on your own system first as the user
When the user sets up the VPN, then chooses the change password, an error is that it could not find a DC ?

How long as the system been away from the DC versus your AD  tombstone setting?

One option as you mentioned you can get onto the system, is to refresh the AD connection just to be sure.
Avatar of tjie

ASKER

@arnold:

Please confirm the password you want to reset is the domain password and have it propagate to the laptop?
Answer: Yes, It is a domain password; This password should be reset every 90 days; now, we want every user to reset it by himself (all users have got the Permission for it; they are all put as the members of the VPN security group)

Does the VPN client you are using provides support to establish the VPN prior to the user login?
Answer: Yes, it does. I go remote (using citrix) to the user's laptop, then i installed the VPN software; then, i asked the user to login to the VPN software; and he was able to login; Then, He did CTRL + ALT + DEL > select "change the password", but failed.

Test on your own system first as the user
When the user sets up the VPN, then chooses the change password, an error is that it could not find a DC ?
Answer: The error message, i forgot; yes , it possibly could not find a DC; I am not sure; I would check it again tomorrow.

How long as the system been away from the DC versus your AD  tombstone setting?
Answer: No; the laptop has been used everyday; but the domain password must be reset every 90 days to every user.

One option as you mentioned you can get onto the system, is to refresh the AD connection just to be sure.
Answer: I am clear your question. Yes, I can reset every user at the Active Directory; but this is the REASON; the company does not want to waste time for it; every user should be able to reset his / her password by themselves.

Thanks!
to confirm: the Windows 10 computer is a remote computer OR is it a computer at the office?

is the computer joined to the domain?
The question I posed dealing with establishing a VPN first deals with having the option on the login screen to check that says setup a VPN before login.
I think this is/was available with cisco clients. you are using sonicwall?
The point being when the user login is attempted, the access to the DC will be present and the link between the laptop and the AD will be more apt for what you are trying to achieve since the login attempt to the laptop will trigger a request to the DC versus relying on the local cache.
I believe in this case, the user having had their password expired, will be prompted to change it.
If the change prompt shows up, it will be more likely that in this type of a scenario, the ctl-alt-del would also have a valid token to update the password.....

Can you check the AD on the status of the Computer object for the user, whether it was marked for tombstone?

The changes you made deal with providing user to change their AD password. It in no way deals with getting the changed AD password synchronizing to the laptop. The cache on the laptop for the AD user will only update when the user is on the AD and changes the password, or logs into the laptop while on the AD with the new password..

Do you have access to a laptop that has not been on the network and on which you may have credentials to test it out?
i.e. login into the laptop while off network.
Install the global VPN
and try going through this process to update/change password.
Avatar of tjie

ASKER

@E.C:

to confirm: the Windows 10 computer is a remote computer OR is it a computer at the office?
Answer: Yes, It i a remote computer


is the computer joined to the domain?
Answer: Yes, It joined the domain

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Lasse Bodilsen
Lasse Bodilsen
Flag of Denmark image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Did the user log directly into the vpn at the login screen as in the pic below, or login first and then connect the vpn? Because the latter will use cached credentials.
User generated image
To the above image, you could try login using cached credentials, establish the VPN connection.
Logout and then log back in.
See if that helps. Just beware, the user should remember the old password and the new until they confirm the new works while the VPN is not connected.