Force Password Change when not logged onto domain

[shabbs]

We have an Active Directory domain with GPO applied to users passwords (change every 90 days, 6 characters in legth, etc..)

Several of our users only logon to the domain once or twice a year as they are out on the road performing sales duties.

Is it possible to force the users to change their domain password whilst logging onto the laptop, when not logging onto the domain (i.e. at home)? Once the change has been made on the laptop, will the user then be able to logon to the domain with the new password? (I don't see how as the new password will not be held in the active directory).

If this is not possible, is it still possible to force the user to change the password on the laptop every 90 days when not in the office (as if they were connected to the domain) When they eventually log back onto the domain, will they be prompted to change the password again?

 

[PScottC]

Systems must contact a domain controller (any DC) before allowing the user to change his password. You could set a local policy on the system about changing the password, but that will only affect the local user accounts on the system. Do you want your users to logon locally, instead of a domain account?

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[shabbs]

The requirement is for users to be forced to change their password every 90 days, even when not connected to the domain. For example, the user is connected to the domain on day1 and is forced to change his password via the default GPO. The user then leaves the office and does not connect to the domain for another 90 days, at which point they should be forced to change their domain password. If the user does not connect to the domain for another 90 days then they should be prompted to change their password again. When the user eventually connects to the domain (e.g. directly or vpn) they should be able to either logon using new current password or be prompted to change their password before being authenticated.

 

[Davetoo]

Won't work because when they go to login to the domain, the passwords won't match up.

The only alternative is to force them to VPN into your domain on a regular basis.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[ncotton]

You can not, at all, change a domain account password if you dont have a connection to the domain account at the time you wish to change it. Even when not connected to a domain, you can still login to your domain account on a local machine, assuming that the domain acocunt has been accessed on the domain once, and no profile data has been deleted. Windows stores the password on the local machine in reference form only, unreversible encryption. If a domain is not available to valid the password(assuming a GPO hasn't set WAIT FOR NETWORK BEFORE LOGON to enabled) then the local logon will detect no domain connection and query the local reference for the password. If you want to set the machines to have LOCAL password change enforced, then they would need to be logging on to the LOCAL machine account, not a disconnected domain account. This means you would need to create a Password policy on each local machine (or create one local policy object and export to each machine)
If a user changes password on domain, then doesn't logon for 100 days, then when they then come to logon, they will then be prompted to change.

Neil J Cotton
njc Information Systems
Systems Consultant