F
Fred Yarbrough
BACKGROUND
We are migrating to a Windows 2003 AD domain with password changes required
every 90 days. In the past we did not require password changes and our
"road warriors" laptop's belonged to our domain. It used cached credentials
when they were not connected to our network. Things worked fine for the
most part.
PROBLEM
Now that we are requiring password changes, our remote users (Windows 2000
Pro and XP Pro) log into their laptop using the cached domain credentials
and then connect to our company via VPN and Dialup. On the connection
attempt, they are forced to change their password for their AD domain
account. They can successfully change their AD domain password but this
DOES NOT change their cached password that the system has. When they
disconnect from our network, and try to login to their laptops using the
cached domain password and they must enter their old password. Our
workaround has been for the user to connect to us and then do a CTRL ATL
DELETE and perform a change password from here. This resets both the cached
password and the domain password and works. We want to implement a policy
that passwords cannot be change for 2 days after they are set to keep people
from rolling their passwords to the old one. This solution is not
acceptable for us.
We are considering making all of our laptops non-domain members. Users will
simply login to the local machine. They will still have to login to the
domain when they attempt to connect but they can choose whether to keep
their local and domain accounts synchronized or not.
Thanks,
Fred
We are migrating to a Windows 2003 AD domain with password changes required
every 90 days. In the past we did not require password changes and our
"road warriors" laptop's belonged to our domain. It used cached credentials
when they were not connected to our network. Things worked fine for the
most part.
PROBLEM
Now that we are requiring password changes, our remote users (Windows 2000
Pro and XP Pro) log into their laptop using the cached domain credentials
and then connect to our company via VPN and Dialup. On the connection
attempt, they are forced to change their password for their AD domain
account. They can successfully change their AD domain password but this
DOES NOT change their cached password that the system has. When they
disconnect from our network, and try to login to their laptops using the
cached domain password and they must enter their old password. Our
workaround has been for the user to connect to us and then do a CTRL ATL
DELETE and perform a change password from here. This resets both the cached
password and the domain password and works. We want to implement a policy
that passwords cannot be change for 2 days after they are set to keep people
from rolling their passwords to the old one. This solution is not
acceptable for us.
We are considering making all of our laptops non-domain members. Users will
simply login to the local machine. They will still have to login to the
domain when they attempt to connect but they can choose whether to keep
their local and domain accounts synchronized or not.
Thanks,
Fred