Password Expiration

Does anyone have a workaround for AD password expiration for VPN users? So far we've just been manually changing passwords, which works for our current amount of users. Soon, though, we'll be ratcheting up our numbers and I can see this becoming a burden.

Any help is appreciated.

Find more posts tagged with

Comments

QHalo

Are you talking about how they have cached credentials to login at home, and then require them to put in their updated password once they login to VPN? If that's the case, starting VPN prior to login has been the way we've resolved issues like these before. I believe there's an option with Cisco VPN to start the tunnel prior to machine login.

Either that or Windows 7 and DirectAccess.

burbankmarc

Actually, these machines are NOT on the domain (by design). They do, however, log into the VPN using their domain credentials, which expire every couple of months. Once the password expires instead of being asked to create a new one, which is what happens locally, they just get refused their connection.

jason_lunde

Do you use OWA at all? I know a bit off the beaten path, but we have Exchange 2007 and the OWA with that release has a way to change your windows password. Not the best option, but it is there.

burbankmarc

We do not. We're mostly a Unix shop, so almost all of our services are unix based.

I think, what I'm going to do is make a script that runs after the VPN connects which checks how long until the user's password expires. If it's within 7 days I'll just have them change it.

jason_lunde

burbankmarc wrote: »

We do not. We're mostly a Unix shop, so almost all of our services are unix based.

I think, what I'm going to do is make a script that runs after the VPN connects which checks how long until the user's password expires. If it's within 7 days I'll just have them change it.

Sorry, I should have added that that's what our admin had done as well. Realized on the way in today that I should have added that, b/c they cant very well log onto OWA if their pw has already expired. We had the benefit of our computers being joined to a domain though, so it made it a tad easier. Hope it works out for you man, let us know.