1

One of our remote users had his domain account password expire, so he logged onto a terminal server in the same site as the RRAS server he uses for RA VPN to reset his password. He stays connected 24/7 to RRAS, there are two DC's in the same site, and yet his PC still thinks his password is his old password - it has been several days and it still does not realize that his password has changed.

How can I force his PC to "get" the new password from the DC? I know that if he were to physically plug his PC into one of the domain networks it would be updated within minutes...

tacos_tacos_tacos
  • 3,220
  • 16
  • 58
  • 97

1 Answers1

1

I am going to answer this without explaining kerberos, because it would make this rather long, but please read up on how it works and how windows uses it.

Workstations cache passwords indefinitely and use the cached passwords whenever they aren't able to get to AD, to make a long story short.

Locking a computer and unlocking it with the new password, while it is connected to the domain, will cause the cache to be updated (and the session to have a current "copy" of the authentication). This is useful when they remain logged in while domain connected, and the domain user's password is changed on another computer in the domain.

If the computer is not authenticating to the domain for whatever reason, it needs to do so directly and online.

The password is not "synced", and the DCs do not "push" them to workstations.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92