Can't login Laptop on offsite

[chicagotech]

One of our users has a problem to login his Laptop without connecting to our domain and he won’t be in the office for next 3 months. This is his email:

I can't log on to my laptop (#002314) with my own username. My password isn't recognized. I tried both old & new passwords. I have been logging on as another user for a long time and may not have tried to logon to my username for months. What can I do? I'm in Minnesota doing fieldwork now.

We assume his password has been expired. We don’t want to give him our domain admin password and another use account doesn’t have admin right. What can we do to help him?

[chicagotech]

First of all, I intent to share the following knowledge with you:

If a Laptop disconnect Domain long time, especial between 31 days and 60 days, the Laptop will lost the security computer password against the DC. The reason is that the security password between Laptop and the DC will be changed in every 30 days; for example, if the computer change the security password today, and then we bring this laptop to the outside, after 29 days, the computer password must be changed, but the computer can’t connect to the domain, so the security password can’t be changed automatically, but at the same time, the computer will try to another old password (previous computer password) to logon.

So, first of all, if the client can use the other domain user to logon this laptop, which can proves that the Laptop don’t lost security channel. Then the question is: the other user is the Domain users?

1.Why do you suggest the user to logon into locally, not in domain?
2.The user can set up a VPN and then connect to the office network to change the password.
3.Or you can try to change the cached logon times, from the following register entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
You can refer to the following link:

Cached domain logon information

http://support.microsoft.com/kb/172931

By the way, the OWA can change the password, but even we can change the password, but if we don’t have the site-site VPN build-up, the user can’t logon to the Domain accordingly.

[chicagotech]

I don’t have a solution to remedy this immediate problem, but I do have a solution that can help to prevent this type of thing from happening in the future.

We incorporate an “emergency_admin” local admin account on all our customers desktops and laptops. In the event of some sort of problem where a user “MUST” gain access to the machine through any means necessary, we can disclose to the user the password for this account.

At the same time we disclose this password to the individual, we will issue a password change (via GPP) for all the other domain-joined machines for this account. Thus we essentially have a temporary admin account password.

[chicagotech]

Ok, you can try to create a site-to-site VPN to solve this issue.

Let’s go back to see the Joe’s detail info, you can see the following article:

Machine Account Password Process

http://blogs.technet.com/b/askds/archiv ... test2.aspx

what the Joe’s mentioned info is related with the following group policy:

computer configuration\policies\windows settings\local policies\security options\Domain member: Maximum machine account password age (by default, the value of this option is 30)

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: DisablePasswordChange

By the way, you can try to delete the cached logon number and try to solve this issue.

[chicagotech]

We tried the VPN this morning, but can't make it work. The problem is the userB (userB who can login the Laptop) doesn’t have right to create VPN for all users. The only option is setup for the userB only. If we try to “lon go using dial-up” on the logon screen, it doesn’t allow the userA (userA who has a problem to login) to establish the VPN. If we login userB first, the userA can establish the VPN, but we can’t figure out how to change the userA domain

[chicagotech]

1. It is impossible to create a site to site VPN.

2. He already tries to logon locally, but it doesn’t work. How do you delete cached logon times?

[chicagotech]

I assumed you need to logon locally via a local account, not the domain account. if this method doesn’t work as expected, what’s the error message?

If we want to change the cached logon times, you can refer to my first reply in this thread; but I assumed it may be not work for this scenario, but you can try this.

[chicagotech]

Try this:
1. Have the user login VPN uisng different user.
2. Then you access the computer using RDC with admin account.
3. Create a temporary admin account and give the user password to create VPN for anyone. The use Log on use dial-in to login the user and then change the password.