Russ - With the newer versions of
the Cisco VPN client you can configure the client to allow logon to the
network via VPN before you logon to the notebook. When you first start up the
system and hit Ctrl-Alt-Del to get the regular logon box, a Cisco VPN connection
dialog comes up instead. You use this dialog to connect by VPN first so
that you are actually authenticating your account with a domain controller, then
you get a logon box again for logging on to the machine. This keeps the cached
account information and the domain account information in
synch.
If
users change their password while connected by VPN, the cached credentials on
the notebook are not updated. If they restart the notebook, they have to logon
using their old password. When they next connect by VPN they will have to
provide their new password. As soon as their machine tries to access network
resources, it passes the old password information and causes the user's account
to lockout very quickly (assuming you have account lockout
enabled).
On the
3.6.3 client, you would go into Options -> Windows Logon Properties and
select Enable Start Before Logon. You would also want to select Disconnect VPN
Connection While Logging Off. I believe this requires a system restart so that
it hooks into the security dialog (msgina?).
If you
need to go update your remote clients and you use SMS 2003, you may also want to
upgrade your VPN clients at the same time to the 4.x VPN
Client. Microsoft's notes say that the 4.x client will accurately report
the IP address assigned by your VPN concentrator, as opposed to the IP
address the notebook has on the user's personal network, so that the SMS 2003
Client boundary calculations will work properly.
We also have a ton of users with non-expiring
passwords because they needed remote access in the past. One of my tasks
this week is to get them to change their passwords, then we will set them to
start expiring. We still need to figure out how to take care of remote users who
only connect by dial-up direct to our company (no broadband
available).
Jeff Salisbury
Network
Infrastructure and Security Manager
Belkin Corporation
Information Services
310 604-2061
310 604-2022 fax
www.belkin.com
From: Rimmerman, Russ [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 18, 2004 12:19 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] VPN users and their AD passwords
How do your VPN only users who never attach their laptop to your network change their AD passwords when they expire? We're having an issue where we have to make all our VPN users "Password never expires" because they cannot change their password when it does expire, because they're only coming in via a Cisco VPN client.Thanks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.
This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Confidential
This e-mail and any files transmitted with it are the property
of Belkin Corporation and/or its affiliates, are confidential,
and are intended solely for the use of the individual or
entity to whom this e-mail is addressed. If you are not one
of the named recipients or otherwise have reason to believe
that you have received this e-mail in error, please notify the
sender and delete this message immediately from your computer.
Any other use, retention, dissemination, forwarding, printing
or copying of this e-mail is strictly prohibited.
This e-mail and any files transmitted with it are the property
of Belkin Corporation and/or its affiliates, are confidential,
and are intended solely for the use of the individual or
entity to whom this e-mail is addressed. If you are not one
of the named recipients or otherwise have reason to believe
that you have received this e-mail in error, please notify the
sender and delete this message immediately from your computer.
Any other use, retention, dissemination, forwarding, printing
or copying of this e-mail is strictly prohibited.
