question

SamBlackwood-8352 avatar image
0 Votes"
SamBlackwood-8352 asked ·

Password expiry outside of domain

Due to the current situation around the world my whole company is required to work from home. I have been informed that several users passwords are due to expire in the next few days.

If the user isn't connected to the domain then will their password actually expire? And if so then is there a way to reset it without been on the domain?

We have tried to reset the password but it won't allow it while outside of the domain.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@SamBlackwood-8352, I believe you are talking about resetting the password for your users in On-Prem Active Directory. If yes, then you wont be able to reset the password until the machine on which user is trying to reset the password is able to speak to a domain controller in your domain. Also, the password would expire based on the password expiry time limit set in your group policies.

In case users are not connected to the domain, they might not be able to find out that their password has already expired, but once they get connected back to their domain, then the old passwords would fail since already expired.

One solution is to deploy VPN solutions so that when users are working from home they can connect to VPN which would allow them to get connected to your internal organization network and they can reset their password as an when required even while working from home.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your quick response. So just to clarify, if the users password is notifying them that i'ts going to expire, then will they be able to log in past that expiry date if they are NOT on the domain?

Pardon my ignorance, dealing with the Windows server is still pretty new to me.

Thanks Sam

0 Votes 0 · ·
soumi-MSFT avatar image soumi-MSFT SamBlackwood-8352 ·

@SamBlackwood-8352, I apologize for the delay in my response. Regarding your query, the answer is yes, as when you machine is off the network and is not able to reach a domain controller in the domain, it would continue working with the cached credential. Hence with cached credentials the password still remains valid and it would continue working until the machine gets back to domain and contacts the Domain Controller.

Hope this helps.

Also, do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 · ·
michev avatar image
0 Votes"
michev answered ·

That's where the password writeback feature comes in: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback Assuming you are already using Azure AD, that is. Similarly, you can use the password change page on and AD FS install: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/update-password-customization

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.