G
Guest
This seems like it should be a no-brainer, but I'm having trouble finding an
answer. We run an NT4 LAN with a Win2k VPN server. We're setting up some
computers that will be used at remote locations, and not be a part of any
domain other than that which houses the VPN server. Additionally, they will
usually be in the field (not directly connected to the LAN) for periods
exceeding 6 months. On the LAN, passwords expire every 90 days.
One of our first VPN users was an executive with a computer that she keeps
in the office, and one that's permanently stationed at home. She changed her
password one day from the office. Later she signed in on the home pc, having
to use cached credentials to get into Windows. Since our VPN authenticates
users with our LAN's DCs, her VPN password was different than her home
password. In the course of working while connected to the VPN, her account
got locked out. We presume it's because she had logged onto the computer
(which is a member of [MYDOMAIN]) using her old (cached) password, and then
logged onto the VPN (which authenticates in [MYDOMAIN]) using her current
password. We think that Windows sent authentication information through the
VPN using the cached credentials during the course of the connection. We've
temporarily set her password to not expire.
We are now getting ready to set up more remote pcs. When we set them up, we
plan to make them members of our domain, but if we do, we may run into the
same problem - a user will connect through the VPN, and either have an
expired password or be asked to change his / her password when connecting to
Exchange, for example. The passwords therefore have the potential to fall
"out-of-sync", and therefore lock out the user during or after a VPN session.
We considered NOT making these remote pcs domain members, but want them to
reap the benefits of domain membership - policies, updates, and eventually AD
GPs. Any thoughts as to how we could keep these passwords synchronous for
the local (cached) logon and the VPN (domain) logon? We thought of forcing
them to CTRL + ALT + DEL to the Windows Security box, and choose "Change
Password" while connected to the VPN, but we weren't sure if that would be
effective.
Any help would be greatly appreciated. Thank you.
answer. We run an NT4 LAN with a Win2k VPN server. We're setting up some
computers that will be used at remote locations, and not be a part of any
domain other than that which houses the VPN server. Additionally, they will
usually be in the field (not directly connected to the LAN) for periods
exceeding 6 months. On the LAN, passwords expire every 90 days.
One of our first VPN users was an executive with a computer that she keeps
in the office, and one that's permanently stationed at home. She changed her
password one day from the office. Later she signed in on the home pc, having
to use cached credentials to get into Windows. Since our VPN authenticates
users with our LAN's DCs, her VPN password was different than her home
password. In the course of working while connected to the VPN, her account
got locked out. We presume it's because she had logged onto the computer
(which is a member of [MYDOMAIN]) using her old (cached) password, and then
logged onto the VPN (which authenticates in [MYDOMAIN]) using her current
password. We think that Windows sent authentication information through the
VPN using the cached credentials during the course of the connection. We've
temporarily set her password to not expire.
We are now getting ready to set up more remote pcs. When we set them up, we
plan to make them members of our domain, but if we do, we may run into the
same problem - a user will connect through the VPN, and either have an
expired password or be asked to change his / her password when connecting to
Exchange, for example. The passwords therefore have the potential to fall
"out-of-sync", and therefore lock out the user during or after a VPN session.
We considered NOT making these remote pcs domain members, but want them to
reap the benefits of domain membership - policies, updates, and eventually AD
GPs. Any thoughts as to how we could keep these passwords synchronous for
the local (cached) logon and the VPN (domain) logon? We thought of forcing
them to CTRL + ALT + DEL to the Windows Security box, and choose "Change
Password" while connected to the VPN, but we weren't sure if that would be
effective.
Any help would be greatly appreciated. Thank you.