Unable to access files/folders after password changes

[Tommy Tutone]

I'll try to explain my situation the best I can. This was in place when I
started here and I haven't had time to make any changes.

We have 2 domains in different locations connected via Windows 2000 VPN.
Previously domains were not trusted and certain users had accounts on both
domains, one on there own domain (domain 1) to access their resources and a
duplicate account on domain 2 to allow VPN access. Once they connect via VPN
they launched a desktop batch file which mapped the necessary drives on
domain 2. (I have since enabled trusts between domains but this hasn't
changed anything with this issue)

There was no password policy in place so users were using the same username
and passwords on both domains for the last 5 years. I've created a new
policy that expired the passwords and had them change passwords. The VPN for
domain 2 connection also expired and was changed to match local domain 1
password. It's a small step I know.

Now that I've done this they can no longer access the resources on domain 2.
When we launch the batch file it prompts for a username and password. The
only account that works is an old account on domain 2 that hasn't been
changed. Even the administrator account won't work.

As the administrator I can connect from server/domain 1 to server/domain 2
and access the resources. However if I logon to a workstation in domain 1
using the administrator account I cannot access resources on domain 2. I'm
not an MCSE and I've tried troubleshooting this but I'm not having any luck.
Can anyone please help? Thanks for your help in advance.

 

[Kurt]

Creating trusts allows you to assign permissions in the trusting domain to
users in the trusted domain. If you build a two-way trust you can assign
permissions in either domain to users or global groups in the other. This is
the preferred method, the way you were doing it before is a hack. I don't
know how many users you have, but in AD domains and trusts you can verify
the trusts in both domains in both directions. DNS is a big issue here and
you'll at least need forwarders. I recommend secondary zones in each domain
for the other. You mention Windows VPN, and say "Once they connect via VPN
they launched a desktop batch file which mapped the necessary drives on
domain 2". That leads me to believe that the users are individually
connecting to the remote site by launching a VPN connection on their own
computer. In that case, the trust shouldn't matter. As long as the VPN is
established directly from the local machine, they should have the same
permissions as the account they used to authenticate when the VPN connection
was accepted. Maybe the VPN connections are using different accounts than
the users? In the long run, I would recommend a pair of matching VPN
routers. Set up an IPSec VPN between locations. Then uses won't have to
launch individual VPN connections and your trusts will kick in and work.

....kurt