VPN Users not being prompted for password change

[DotNetNewbie]

Hi,

I am hoping someone can help me?

We have recently introduced a new password policy which requires users to change their passwords on a regular basis. However I have noticed that remote field based staff who never visit the office are not receiving the 14 day warning when their passwords start to expire.

Is there any way to force this message to appear or is this simply a quirk?

Many thanks in advance.

.net

 

[compuveg]

Their machines attempt to login to the domain before their VPN is connected, with the Windows login. Though the VPN might authenticate to their AD account, it won't go through the same routine as far as checking for expired passwords, etc. Your best/easiest bet is to have them login through Exchange's OWA, which should allow them to change their password.

Just for the record I think having the VPN authenticate against their AD accounts is not a good idea. If someone learns their AD username and password, they can get into your network, and connect to any resources available to that user. If the username/password is different once they get in the VPN, they really can't do much else.

 

[mrdenny]

Getting people to remember a single password is hard enough. You want them to remember two passwords?

Now if you have a VPN token like an RSA token that's another conversation.

We use software from

http://www.netwrix.com

called the Password Expiration Notifier to email our users when there password is getting close to expiration. It'll send users three emails (you can configure when the emails go out) so that they know to change there password.

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog

 

[compuveg]

Show me a person in my whole office that only has one password to remember and I'll show you the person with the mop, who probably still has more than one password.

 

[mrdenny]

Agreed, everyone has lots of passwords. But having users have two passwords for work to forget can end up giving your help desk staff twice as many accounts to reset.

Lots of users can't remember there passwords, and they end up writing them down somewhere (I'm talking regular users, not IT staff). This being the case, most passwords would be written down next to each other anyway.

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog

 

[DotNetNewbie]

Hi,

Thanks for taking the time to reply, very much appreciated.

I am hoping to introduce RSA style tags in the future, but my immediate issue is passwords expiring without the users being notified.

I like the email of being able to send them an email, so thanks for that.

Users generally have a few passwords to remember, which generally results in them changing the passwords so they are all the same or similar!. It is and always has been a hot topic.

Again, thanks for taking the time to respond.

.net