Stuart - Thanks for the info! Do you know if using either or both methods actually update the cached credentials on the user's notebooks? If not we would still be stuck with locked user account problems after the change.
Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -----Original Message----- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 9:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VPN users and their AD passwords Check out the Cisco documentation on configuring the concentrator to support the NT/AD password expiration feature. We are doing this and it works like a charm and nobody has to hit cancel. Clients with expired password get warned at VPN login and given an opportunity to change the password. See: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration _example09186a00800946b9.shtml or search cisco.com for "VPN concentrator password expiration" and take the first result. MS IAS config for Cisco VPN is documented here - http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration _example09186a0080094700.shtml -Stuart -----Original Message----- From: Ayers, Diane To: [EMAIL PROTECTED] Sent: 5/18/2004 5:56 PM Subject: RE: [ActiveDir] VPN users and their AD passwords Gee... you give them remote access to the company via the internet from anywhere and their complaining about having to hit cancel? I would tell them to get over it... :-) Actually with my client, I can just type in my password in the ctrl-alt-del login box and just ignore the VPN client if I am on the compnay network. It will authenticate via normal channels. Externally, I can choose to authenticate via the VPN client. Only if you don't let the VPN client initialize fully do you get the big cancel button when you hit ctrl-alt-del. Either hit cancel or wait for the VPN client to initialize before they hit the keyboard. Diane _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 18, 2004 4:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VPN users and their AD passwords The complaint here from users is that if they ARE on the network, they have to hit cancel on the Cisco VPN client login so they can get to the CTRL-ALT-DEL screen. Is there any workaround for this, or just tell the users to get over it? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ayers, Diane Sent: Tuesday, May 18, 2004 4:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] VPN users and their AD passwords I'm running v 4.0.3(D) of Cisco VPN client and it is configured as Jeff describes below (logon to VPN before laptop logon). I had my domain password "expire" and IIRC, I was able to change my password at my usual ctrl-alt-del logon after I had done my VPN login. This was after a few adult beverages so I may have been confused... :-) Diane _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury Sent: Tuesday, May 18, 2004 1:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VPN users and their AD passwords Russ - With the newer versions of the Cisco VPN client you can configure the client to allow logon to the network via VPN before you logon to the notebook. When you first start up the system and hit Ctrl-Alt-Del to get the regular logon box, a Cisco VPN connection dialog comes up instead. You use this dialog to connect by VPN first so that you are actually authenticating your account with a domain controller, then you get a logon box again for logging on to the machine. This keeps the cached account information and the domain account information in synch. If users change their password while connected by VPN, the cached credentials on the notebook are not updated. If they restart the notebook, they have to logon using their old password. When they next connect by VPN they will have to provide their new password. As soon as their machine tries to access network resources, it passes the old password information and causes the user's account to lockout very quickly (assuming you have account lockout enabled). On the 3.6.3 client, you would go into Options -> Windows Logon Properties and select Enable Start Before Logon. You would also want to select Disconnect VPN Connection While Logging Off. I believe this requires a system restart so that it hooks into the security dialog (msgina?). If you need to go update your remote clients and you use SMS 2003, you may also want to upgrade your VPN clients at the same time to the 4.x VPN Client. Microsoft's notes say that the 4.x client will accurately report the IP address assigned by your VPN concentrator, as opposed to the IP address the notebook has on the user's personal network, so that the SMS 2003 Client boundary calculations will work properly. We also have a ton of users with non-expiring passwords because they needed remote access in the past. One of my tasks this week is to get them to change their passwords, then we will set them to start expiring. We still need to figure out how to take care of remote users who only connect by dial-up direct to our company (no broadband available). Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -----Original Message----- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 12:19 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] VPN users and their AD passwords How do your VPN only users who never attach their laptop to your network change their AD passwords when they expire? We're having an issue where we have to make all our VPN users "Password never expires" because they cannot change their password when it does expire, because they're only coming in via a Cisco VPN client. Thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
