Windows XP SP2 introduces a new, background cached password sync process that does not require the workstation to be locked, only that it be able to talk back to a DC...it's tied to Fast Logon Optimization threads... http://support.microsoft.com/?id=824302 That KB article doesn't really describe it, but I had PSS dig around and talk to the KB author - it's just a small addition to Fast Logon Optimization that will update the cached password silently, in the background. Usually very quickly, too. We've proven this even on wireless+VPN-connected machines. Not sure how or if the Nortel client impacts this...but since it happens AFTER user logon, I would expect not. --James
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 22, 2006 12:31 PM To: [email protected] Subject: Re: [ActiveDir] Updating cached credentials As I understand it, The nortel vpn client is a shim that works at layer 3 and does not take effect until after the user session has begun. This prevents much of the normal node processing you'd like to see happen such as control of the windows firewall, caching of group membership and so on. Since most companies require a password change on a regular basis for user accounts, I'm kind of surprised that you see this behavior. The way to change the user credentials on a nortel client is to have the user use the three finger salute (ctrl+alt+del sequence) to lock the workstation after the vpn is established. When the user logs back on this *is expected* to re-cash the credentials. This should be a familiar sequence of events for the users every password change. Has this not addressed the problem for you to date? On 11/22/06, Ken Cornetet <[EMAIL PROTECTED] > wrote: Is there a way to force updating of cached credentials on an XP workstation? We have several users that seldom (if ever) connect to the corporate network directly. Instead, they log in (XP sp2) using cached credentials and connect via a Nortel VPN. We have several group policies that are filtered by group membership. The problem is that the group membership seems to be cached on the workstation, and is never updated to reflect the new membership, and group policy is never applied. Is there any mechanism for forcing this update? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
