I’m trying to improve our success rate at user password changes over VPN. We keep running into issues with users not being able to get signed into Windows after the change, OR their accounts getting locked randomly. I know part of the issue is that we have a lot of AD-integrated apps, and those apps sometimes ‘save’ the password for re-use. I wish those apps would just try one time, fail and ask for a new password, but they dont always do that (or at least not right away) and later on you get random account locks that the user says they didnt cause (they claim they didnt type their password at the point of locking the account). I almost want to build a script of sorts that basically purges all saved credentials, wherever they may be, and then have them run it BEFORE and/or AFTER each password change (once every 90 days). Unfortunately we also have users with apps on their phone that use & save AD creds, and some users have two machines (a laptop at home and a desktop on-prem and so there are creds in two places). Anyone have any success stories from this year? any best practices they can point me at? looking for both completeness and simplicity if possible.
For any connect we do the following:
we give the user a temporary password to log in to the VPN with.
After Vpn connection is established, have the user ctrl alt delete and click change a password
press the windows key + L to lock their computer after password is changed (this keeps the vpn connection active when they sign back in so they can reach a domain controller)
Upon signing back in they will need to use their new password which will then be cached for delegation, etc
- Be sure you are connected to the VPN
- Press CTRL-ALT-DEL and choose the Change a password option
- Change your Windows passphrase
- Lock your computer. Unlock it with your new passphrase
- Re-connect to the VPN using your new passphrase
We ended publishing this and allowed everyone to ctrl alt canc from the interwebs
We had a similar issue. What we ended up using was Network Auditor (https://www.netwrix.com/active_directory_auditing.html) that would check AD and list(sorted by expiration date) anyone’s account that is going to expire soon in a PDF file that get sent to our helpdesk. Our helpdesk would then contact those users and remind them to change their password over VPN before their password expired. Users would then lock their screen and login with the new password so that it cached on their laptops.
This is what we are doing with those that RDP into their workstations:
- While connected via VPN, Launch Remote desktop and log in
- In the Remote Desktop Window, hit Ctrl + Alt + End.
- Select Change password and set a new password
- Wait about 1 minute, then lock your laptop (Windows Key + L).
- Log back in using your new password.
What happens when you ‘lock/unlock’ vs. simply change? It seems like if i’m on the laptop that i am using the account on, that simply changing the password from that laptop would be enough, right? What does the ‘lock/unlock’ do that the ‘change’ doesnt? (thanks - i am still learning how these things work)
wow, i didnt know about this. So it’s just a single domain-joined server that is publicly available (over the internet)? and only port 443 needs to be allowed to it? did you re-use a server you already had? or create one for this purpose?
isn’t this a huge security risk?
Yes, only 443 needed. We created a new server and published it behind our waf
Configured the gpo and it worked right away