question

BoeDillard-9400 avatar image
0 Votes"
BoeDillard-9400 asked BoeDillard-9400 answered

Password changes for remote users no longer on premise for AD login?

Hello,

We want people who took their laptops and PCs home to still use AD login. We don't want Azure. Is it possible to sync them? If not can we manually edit the registry of their PC so their PW for AD is in the same as their on prem AD PW.

To be clear, their PC was on premise and joined to the domain. We did not remove it from the domain when they took it home. We are trying to avoid moving them to a new local profile on their PC. Everyone is running Win 10 x64. Our on prem AD server is 2012 R2.

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BoeDillard-9400 avatar image
0 Votes"
BoeDillard-9400 answered

For anyone with this environment, what we did was had them connect with their VPN client while they were remote, then we changed their AD account, locked the computer and unlocked with the new AD password and it worked fine.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

Users can use cached credentials for AD login.
Make sure the group policy for : Interactive logon: Number of previous logons to cache (in case domain controller is not available) under the path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
This determines how many credentials can be cached .

Once users can't connect to domain, the cached credentials will be used .

But if the password changed on the DC when the computers disconnected, the computers will not receive the new password.
If you want the users to use the new password , the computers need to connect to the domain and login again to cache the new password.
If users disconnect to the domain all the time, it will continue to use the old password.

For more information, you can refer to:
Interactive logon: Number of previous logons to cache
Network access: Do not allow storage of passwords and credentials for network authentication

Best Regards,


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BoeDillard-9400 avatar image
0 Votes"
BoeDillard-9400 answered FanFan-MSFT commented

Thanks - that is the issue. They are not on site - probably won't be for months. We do want them to use the new AD password however the only way they connect to AD is through VPN through our firewall after they've logged in.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Yes, for the premise AD , the clients need to connect to the DC to refresh to new password .

Best Regards,
Fan

0 Votes 0 ·