Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Reseting AD passwords via VPN

Reseting AD passwords via VPN 7 years 9 months ago #29327

  • kjw
  • kjw's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
My company is finally moving to AD from their old NT domain. One thing has come up that I've never been faced with before. We have a number of remote sales / support people spread out literally all over the world.

So they come in and I join their PC to the domain, they sign in and now they have a cached account... and thy can use that. Out password policy says pw's expire every 45 days .. so .. this guy is in France someplace ... he does use our SSL VPN to access info on our system ... and that authenticates against our AD .. so if he connects and does a manual password reset .. does that keep him going?
The administrator has disabled public write access.

Re: Reseting AD passwords via VPN 7 years 9 months ago #29336

  • drizzle
  • drizzle's Avatar
  • Offline
  • Distinguished Member
  • Posts: 138
  • Karma: 0
The important thing is that the user needs to only change their password when they are connected to AD over VPN. Basically, here are the steps:
1. They log in with cached credentials.
2. They establish the VPN tunnel.
3. They hit Ctrl+Alt+Del and select "Change Password"
4. Once password is reset, they need to lock their screen (Windows Key + L -or- Ctrl+Alt+Del & Lock Computer)
5. They then need to log in with their new password to synchronize their cached credentials.

This should synchronize their cached password with AD, thus changing it in both places. If they do not update their cached credentials by locking the screen, they risk locking our their account. The system will continue to use cached credentials that are no longer acceptable on the domain.

I would also set the lockout threshold to 10 and the time limit for locking to 5 minutes. That will still keep you safe from brute force attacks.
The administrator has disabled public write access.

Re: Reseting AD passwords via VPN 7 years 9 months ago #29549

  • quinnyyy
  • quinnyyy's Avatar
  • Offline
  • Frequent Member
  • Posts: 21
  • Karma: 0
The above post relies on the fact that the vpn doesn’t authenticate using AD, as soon as you try and connect to the VPN windows forces you to change the password within the vpn client.

If you have users accessing the domain remotely you need to ensure that the user has the correct DNS setting so the domain controllers ip address can be resolved via DNS. This proves tricky as assigning static DNS setting will mean that when they are not on the network via VPN they be able to contact company DNS server, if they try and access google for example it will not work. You can try and explain to each user how to change settings manually (requires admin priv) or configure the VPN to enforce a DNS setting.
The administrator has disabled public write access.
Time to create page: 0.076 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup