Dear sysadmins!
I’m an help desk agent which is frastrated at his company,
Currently we are using pulse secure VPN which you connect to only after connecting to your laptop using your credentials.
As many are working from home, some forget their password and can’t enter windows, this means that if we change their password it doesn’t update locally for them and the only solution is to come to office and connect to company Wifi and then the new password sync to their laptop.
How are you doing it in your company? There must be a better way.
Edit: Thanks for all the suggestions below!!
I’ll check with some people if they are possible in our org
If there are any more please add
Edit2: we have local admin account for each computer
So I can connect with that and then connect to our VPN
Running gpupdate /force a few times and waiting some time and was able to sync the new password!!
Edit3: Changed the text to make it clearer, sorry for the confusion.
By “locked out” I mean that users forget their password. Not actual domain account lock, sorry.
Thanks everyone, have a great day
Our vpn can be joined pre login from the sign in screen. First time user, no prob, changed creds no prob.
When this happens with our users, our help desk will remote into the user’s machine and log in using their support creds, connect to VPN, then use fast user switching to have the normal user log in with their new reset password while the VPN is still connected.
We set up a local account for them (in addition to local admin), and set it so they can’t change the password and it never expires. That way we can direct them to that account to get on the VPN so their domain credentials can update.
We use LAPS, it works great
You’ve got a few options:
- AzureAD join your laptops and manage using Intune so that anyone with an internet connection can log in using up to date credentials.
- Use a VPN that can be dialled from the login screen
- Use AlwaysOn (successor to DirectAccess) VPN or equivalent that doesn’t have to be dialled manually.
- Set up a KDC Proxy so that clients can authenticate without being on VPN. A client side GPO will need pushing out before this works.
- Use remote management tools (e.g. Solarwinds RMM’s Take Control functionality) to log in with a local account and dial the VPN - requires helpdesk intervention every time.
I would suggest Always On VPN to be your best option if you have Enterprise licensing available, otherwise an SSTP VPN works quite well and can be configured very quickly.
365 with Adsync and password writeback.
or stop the reset of passwords until everyone is back to the office and in the mean time implement the above.
We use AD Selfservice plus by manageengine. Not a huge fan that its windows based but it works great. I can’t tell you when I had to reset a password for a user. They can even reset passwords after they have expired.
Prefaced: All of my endpoints are on NCentral.
User forgot their password prior to VPN?
Local admin (with nonexpiring password that is not shared) logs in, logs into VPN, let AD sync, solved.
There is a configuration for Pulse using machine certificates that allows it to auto connect/authenticate pre-user login. And then after the user is logged in it will disconnect and prompt the user to enter their own credentials.
I haven’t gotten around to doing this yet, but its on my task list.
Mine makes the user come on site and plug into the network. Unless you’re IT then you can use local admin to login and update.
For us, we usually have a local admin or AD admin on the computer. We remote in using our agent and log into the computer using those credentials. Once logged in we connect to the VPN and sign in with user account while the other account is still logged in with VPN. This will get the new password for the users computer.
I’m not an expert on pulse secure but it seems they have an option to enable connecting the VPN before login (IE, from the login screen) of Windows. Maybe you can look into that>
https://community.pulsesecure.net/t5/Pulse-Connect-Secure/How-to-configure-Pulse-from-the-windows-logon-screen/td-p/39094
We had this issue (although our laptops don’t lock the user out w/o LOS to the AD, after 5 attempts it just makes you wait between attempts) but just with people changing passwords.
Our ultimate solution is going to be Windows always on VPN. We tried Manage Engine AD self serve but it was a little janky and not really compatible with either of the VPNs we use.
We have remote support application that lets us login to an unattended computer, so most of the time if it happens now we just have an IT staff log in remotely, fire up the VPN, lock the account, then we can change the user’s pwd and get them logged in.
We use a Microsoft RRAS server and the Windows 10 built in VPN client. If a users password expires or we change it (pre-expiring), the next time they connect to the VPN (using the Settings menu to connect) it prompts them to create a new password.
As far as their local computer, the password will remain their old one until it connects to the domain and updates.
So maybe you could:
- Get them to logon using a local password
- Reset their domain password
- Get them to connect to the VPN using the new password
- Do a “run as” using their domain account and new password
- Would that cache it?
Doesn’t seem a covid specific thing though this would have been happening before surely?
So it’s one reason to use LAPS so you’re only giving the local password for that particular laptop.
Local Admin account with LAPS, so you can force a change after they use it.
Our WFH tools are as follows:
- Azure AD (?)
- Microsoft MFA
- Checkpoint VPN
What should happen: Log into laptop, log into vpn, get MFA prompt.
When they log into the VPN and it immediately goes to “access denied”, that means their network password is expired (or account locked).
They then can go to: https://passwordreset.microsoftonline.com and reset their password manually (as they should) - but they need a working MFA account to do so.
Once the password is complete, we have them sign into VPN, wait several seconds so that the new password can sync with the laptop, then they are instructed to lock their computer, wait a few seconds, and log back in - thus syncing everything up.
That’s how it’s done at my location.
You can have them login to vpn and they should be able to login to windows with the new password as long as the vpn is allowing traffic to the domain controllers
Try https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/Enabling%20LDAP%20Password%20Management.htm
Make sure to use LDAPS not LDAP for the connection.
edit: 8.0 admin guide go to page 864. I chose version 8 because you didn’t specify and it’s an average version. Newer and older should have the option too.