Guest Mike H Posted July 2, 2008 Posted July 2, 2008 Hello, We have a few laptop users with logins to our AD domain. They are sometimes offsite for quite a while. Eventually, they can no longer log in with their domain credentials. Our help desk then has to walk them through setting up a local profile so they can work. Is there a way to set this so the credentials don't timeout? Or is there a way for them to be able to authenticate remotely to our domain? I already went down the route of using our VPN client but that is not supported. Any help would be appreciated. We'd prefer not to have to give these people local machine accounts. Thanks, Mike H Quote
Guest Steve Riley [MSFT] Posted July 2, 2008 Posted July 2, 2008 Cached domain credentials are useful indefinitely. Do you mean that the users' domain passwords expire? -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "Mike H" <MikeH@discussions.microsoft.com> wrote in message news:21C17E36-4789-44A9-B7CD-57CB91781EBB@microsoft.com...<span style="color:blue"> > Hello, > We have a few laptop users with logins to our AD domain. They are > sometimes > offsite for quite a while. Eventually, they can no longer log in with > their > domain credentials. Our help desk then has to walk them through setting up > a > local profile so they can work. > > Is there a way to set this so the credentials don't timeout? Or is there a > way for them to be able to authenticate remotely to our domain? I already > went down the route of using our VPN client but that is not supported. > > Any help would be appreciated. We'd prefer not to have to give these > people > local machine accounts. > > Thanks, > > Mike H </span> Quote
Guest Mike H Posted July 2, 2008 Posted July 2, 2008 I did not really think about the password expiration. That is probably what is happening. They will be working fine and then one day they can no longer log in using their cached credentials. I guess the solution for these folks then would be to extend the lenght of time between password resets or stop forcing them to reset their passwords. "Steve Riley [MSFT]" wrote: <span style="color:blue"> > Cached domain credentials are useful indefinitely. Do you mean that the > users' domain passwords expire? > > -- > Steve Riley > steve.riley@microsoft.com > http://blogs.technet.com/steriley > http://www.protectyourwindowsnetwork.com > > > > "Mike H" <MikeH@discussions.microsoft.com> wrote in message > news:21C17E36-4789-44A9-B7CD-57CB91781EBB@microsoft.com...<span style="color:green"> > > Hello, > > We have a few laptop users with logins to our AD domain. They are > > sometimes > > offsite for quite a while. Eventually, they can no longer log in with > > their > > domain credentials. Our help desk then has to walk them through setting up > > a > > local profile so they can work. > > > > Is there a way to set this so the credentials don't timeout? Or is there a > > way for them to be able to authenticate remotely to our domain? I already > > went down the route of using our VPN client but that is not supported. > > > > Any help would be appreciated. We'd prefer not to have to give these > > people > > local machine accounts. > > > > Thanks, > > > > Mike H </span> > </span> Quote
Guest Alun Jones Posted July 7, 2008 Posted July 7, 2008 Password expiry shouldn't affect cached credentials - password expiry applies only when you're connected to the domain (because you can't change the password if you're not able to save the new password hash to a DC!) What's more likely, IMHO, is that you've exceeded the limit of the number of cached credentials held in the machine. Also possible is that they have changed their password at the domain, then on the offline machine tried to use their new password enough times that the account has been locked. I think you need to tell us what you mean by "can no longer log in" - what error messages are displayed? What events are logged? Alun. ~~~~ "Mike H" <MikeH@discussions.microsoft.com> wrote in message news:B41433EC-8CA6-44C6-BEDA-C5FB3A68F09E@microsoft.com...<span style="color:blue"> >I did not really think about the password expiration. That is probably what > is happening. They will be working fine and then one day they can no > longer > log in using their cached credentials. > > I guess the solution for these folks then would be to extend the lenght of > time between password resets or stop forcing them to reset their > passwords. > > "Steve Riley [MSFT]" wrote: ><span style="color:green"> >> Cached domain credentials are useful indefinitely. Do you mean that the >> users' domain passwords expire? >> >> -- >> Steve Riley >> steve.riley@microsoft.com >> http://blogs.technet.com/steriley >> http://www.protectyourwindowsnetwork.com >> >> >> >> "Mike H" <MikeH@discussions.microsoft.com> wrote in message >> news:21C17E36-4789-44A9-B7CD-57CB91781EBB@microsoft.com...<span style="color:darkred"> >> > Hello, >> > We have a few laptop users with logins to our AD domain. They are >> > sometimes >> > offsite for quite a while. Eventually, they can no longer log in with >> > their >> > domain credentials. Our help desk then has to walk them through setting >> > up >> > a >> > local profile so they can work. >> > >> > Is there a way to set this so the credentials don't timeout? Or is >> > there a >> > way for them to be able to authenticate remotely to our domain? I >> > already >> > went down the route of using our VPN client but that is not supported. >> > >> > Any help would be appreciated. We'd prefer not to have to give these >> > people >> > local machine accounts. >> > >> > Thanks, >> > >> > Mike H</span> >> </span></span> Quote
Guest Chad Posted July 11, 2008 Posted July 11, 2008 We've been seeing this recently also at my company. Cached credentials expire after just a day or two it seems. Then if you are disconnected from network, and trying to logon you get: " Unable to contact domain xxxx" "Alun Jones" wrote: <span style="color:blue"> > Password expiry shouldn't affect cached credentials - password expiry > applies only when you're connected to the domain (because you can't change > the password if you're not able to save the new password hash to a DC!) > > What's more likely, IMHO, is that you've exceeded the limit of the number of > cached credentials held in the machine. Also possible is that they have > changed their password at the domain, then on the offline machine tried to > use their new password enough times that the account has been locked. > > I think you need to tell us what you mean by "can no longer log in" - what > error messages are displayed? What events are logged? > > Alun. > ~~~~ > > "Mike H" <MikeH@discussions.microsoft.com> wrote in message > news:B41433EC-8CA6-44C6-BEDA-C5FB3A68F09E@microsoft.com...<span style="color:green"> > >I did not really think about the password expiration. That is probably what > > is happening. They will be working fine and then one day they can no > > longer > > log in using their cached credentials. > > > > I guess the solution for these folks then would be to extend the lenght of > > time between password resets or stop forcing them to reset their > > passwords. > > > > "Steve Riley [MSFT]" wrote: > ><span style="color:darkred"> > >> Cached domain credentials are useful indefinitely. Do you mean that the > >> users' domain passwords expire? > >> > >> -- > >> Steve Riley > >> steve.riley@microsoft.com > >> http://blogs.technet.com/steriley > >> http://www.protectyourwindowsnetwork.com > >> > >> > >> > >> "Mike H" <MikeH@discussions.microsoft.com> wrote in message > >> news:21C17E36-4789-44A9-B7CD-57CB91781EBB@microsoft.com... > >> > Hello, > >> > We have a few laptop users with logins to our AD domain. They are > >> > sometimes > >> > offsite for quite a while. Eventually, they can no longer log in with > >> > their > >> > domain credentials. Our help desk then has to walk them through setting > >> > up > >> > a > >> > local profile so they can work. > >> > > >> > Is there a way to set this so the credentials don't timeout? Or is > >> > there a > >> > way for them to be able to authenticate remotely to our domain? I > >> > already > >> > went down the route of using our VPN client but that is not supported. > >> > > >> > Any help would be appreciated. We'd prefer not to have to give these > >> > people > >> > local machine accounts. > >> > > >> > Thanks, > >> > > >> > Mike H > >> </span></span> > > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.