Sign in with
Sign up | Sign in
Your question

Acct. lockout - using cached pw @ Win logon & current pw f..

Last response: in Windows XP
Share
Anonymous
September 30, 2004 12:19:03 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

This seems like it should be a no-brainer, but I'm having trouble finding an
answer. We run an NT4 LAN with a Win2k VPN server. We're setting up some
computers that will be used at remote locations, and not be a part of any
domain other than that which houses the VPN server. Additionally, they will
usually be in the field (not directly connected to the LAN) for periods
exceeding 6 months. On the LAN, passwords expire every 90 days.
One of our first VPN users was an executive with a computer that she keeps
in the office, and one that's permanently stationed at home. She changed her
password one day from the office. Later she signed in on the home pc, having
to use cached credentials to get into Windows. Since our VPN authenticates
users with our LAN's DCs, her VPN password was different than her home
password. In the course of working while connected to the VPN, her account
got locked out. We presume it's because she had logged onto the computer
(which is a member of [MYDOMAIN]) using her old (cached) password, and then
logged onto the VPN (which authenticates in [MYDOMAIN]) using her current
password. We think that Windows sent authentication information through the
VPN using the cached credentials during the course of the connection. We've
temporarily set her password to not expire.
We are now getting ready to set up more remote pcs. When we set them up, we
plan to make them members of our domain, but if we do, we may run into the
same problem - a user will connect through the VPN, and either have an
expired password or be asked to change his / her password when connecting to
Exchange, for example. The passwords therefore have the potential to fall
"out-of-sync", and therefore lock out the user during or after a VPN session.
We considered NOT making these remote pcs domain members, but want them to
reap the benefits of domain membership - policies, updates, and eventually AD
GPs. Any thoughts as to how we could keep these passwords synchronous for
the local (cached) logon and the VPN (domain) logon? We thought of forcing
them to CTRL + ALT + DEL to the Windows Security box, and choose "Change
Password" while connected to the VPN, but we weren't sure if that would be
effective.
Any help would be greatly appreciated. Thank you.
September 30, 2004 6:13:04 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

I know this isn't an answer to your problem, but I am having a simialr issue.
We are using a Win2k AD controlled network, with windows XP clients. The
client comptuers in our remote sites have the similar issues..

Once a user has changed his password either in an office or on one of our
Terminal Servers, the next time he/she attempts to log on a remote computer,
in order to establish the vpn he/she must enter his old password, and log
into to windows with the old password. To avoid any problems, we have
instructed them to then log off and start over with the new passwords. This
is the case no matter how many days goes by before an attempt to log in
remotely. The cahced password into windows makes sense to me, but why does
the vpn connection still 1 password behind, ecspecilly when it validates the
users domain password???



"Kevin" wrote:

> This seems like it should be a no-brainer, but I'm having trouble finding an
> answer. We run an NT4 LAN with a Win2k VPN server. We're setting up some
> computers that will be used at remote locations, and not be a part of any
> domain other than that which houses the VPN server. Additionally, they will
> usually be in the field (not directly connected to the LAN) for periods
> exceeding 6 months. On the LAN, passwords expire every 90 days.
> One of our first VPN users was an executive with a computer that she keeps
> in the office, and one that's permanently stationed at home. She changed her
> password one day from the office. Later she signed in on the home pc, having
> to use cached credentials to get into Windows. Since our VPN authenticates
> users with our LAN's DCs, her VPN password was different than her home
> password. In the course of working while connected to the VPN, her account
> got locked out. We presume it's because she had logged onto the computer
> (which is a member of [MYDOMAIN]) using her old (cached) password, and then
> logged onto the VPN (which authenticates in [MYDOMAIN]) using her current
> password. We think that Windows sent authentication information through the
> VPN using the cached credentials during the course of the connection. We've
> temporarily set her password to not expire.
> We are now getting ready to set up more remote pcs. When we set them up, we
> plan to make them members of our domain, but if we do, we may run into the
> same problem - a user will connect through the VPN, and either have an
> expired password or be asked to change his / her password when connecting to
> Exchange, for example. The passwords therefore have the potential to fall
> "out-of-sync", and therefore lock out the user during or after a VPN session.
> We considered NOT making these remote pcs domain members, but want them to
> reap the benefits of domain membership - policies, updates, and eventually AD
> GPs. Any thoughts as to how we could keep these passwords synchronous for
> the local (cached) logon and the VPN (domain) logon? We thought of forcing
> them to CTRL + ALT + DEL to the Windows Security box, and choose "Change
> Password" while connected to the VPN, but we weren't sure if that would be
> effective.
> Any help would be greatly appreciated. Thank you.
!