- Posts: 1
- Thank you received: 0
Reseting AD passwords via VPN
15 years 9 months ago #29327
by kjw
Reseting AD passwords via VPN was created by kjw
My company is finally moving to AD from their old NT domain. One thing has come up that I've never been faced with before. We have a number of remote sales / support people spread out literally all over the world.
So they come in and I join their PC to the domain, they sign in and now they have a cached account... and thy can use that. Out password policy says pw's expire every 45 days .. so .. this guy is in France someplace ... he does use our SSL VPN to access info on our system ... and that authenticates against our AD .. so if he connects and does a manual password reset .. does that keep him going?
So they come in and I join their PC to the domain, they sign in and now they have a cached account... and thy can use that. Out password policy says pw's expire every 45 days .. so .. this guy is in France someplace ... he does use our SSL VPN to access info on our system ... and that authenticates against our AD .. so if he connects and does a manual password reset .. does that keep him going?
15 years 9 months ago #29336
by drizzle
Replied by drizzle on topic Re: Reseting AD passwords via VPN
The important thing is that the user needs to only change their password when they are connected to AD over VPN. Basically, here are the steps:
1. They log in with cached credentials.
2. They establish the VPN tunnel.
3. They hit Ctrl+Alt+Del and select "Change Password"
4. Once password is reset, they need to lock their screen (Windows Key + L -or- Ctrl+Alt+Del & Lock Computer)
5. They then need to log in with their new password to synchronize their cached credentials.
This should synchronize their cached password with AD, thus changing it in both places. If they do not update their cached credentials by locking the screen, they risk locking our their account. The system will continue to use cached credentials that are no longer acceptable on the domain.
I would also set the lockout threshold to 10 and the time limit for locking to 5 minutes. That will still keep you safe from brute force attacks.
1. They log in with cached credentials.
2. They establish the VPN tunnel.
3. They hit Ctrl+Alt+Del and select "Change Password"
4. Once password is reset, they need to lock their screen (Windows Key + L -or- Ctrl+Alt+Del & Lock Computer)
5. They then need to log in with their new password to synchronize their cached credentials.
This should synchronize their cached password with AD, thus changing it in both places. If they do not update their cached credentials by locking the screen, they risk locking our their account. The system will continue to use cached credentials that are no longer acceptable on the domain.
I would also set the lockout threshold to 10 and the time limit for locking to 5 minutes. That will still keep you safe from brute force attacks.
15 years 8 months ago #29549
by quinnyyy
Replied by quinnyyy on topic Re: Reseting AD passwords via VPN
The above post relies on the fact that the vpn doesn’t authenticate using AD, as soon as you try and connect to the VPN windows forces you to change the password within the vpn client.
If you have users accessing the domain remotely you need to ensure that the user has the correct DNS setting so the domain controllers ip address can be resolved via DNS. This proves tricky as assigning static DNS setting will mean that when they are not on the network via VPN they be able to contact company DNS server, if they try and access google for example it will not work. You can try and explain to each user how to change settings manually (requires admin priv) or configure the VPN to enforce a DNS setting.
If you have users accessing the domain remotely you need to ensure that the user has the correct DNS setting so the domain controllers ip address can be resolved via DNS. This proves tricky as assigning static DNS setting will mean that when they are not on the network via VPN they be able to contact company DNS server, if they try and access google for example it will not work. You can try and explain to each user how to change settings manually (requires admin priv) or configure the VPN to enforce a DNS setting.
Time to create page: 0.116 seconds