locked
password expiration for AD joined latpop RRS feed

  • Question

  • Hi Guys,

    Just need someone to confirm my theory please. Our default domain policy is set to expire passwords after 60 days. A few users of ours have got laptops: computers are joined to the AD, users are using their AD accounts to log on. They always use the pc offline, at home. What happens to their laptops if they change the password from the office pc and they leave the laptop at home?

    Will they be able to log on from their laptops at home? Sorry guys, I already know the answer but I need to get some expert's advice to confirm my theory

    Regards

    Monday, August 29, 2016 8:18 AM

Answers

  • I concur with Burak, however, it would be interesting to understand your scenario a little better. Just being able to logon with cached credentials does not necessarily mean that applications will necessary work. For example, if you are an Exchange mailbox user, you will either be prompted for a username/password when opening Outlook/OWA, or will simply fail to connect.

    Also, if the computer is not connected to the domain for an extended period of time (30 days by default), then you will likely have problems when users connect the machines back to the domain when they come into the office next. This may or may not be desirable, but in most scenarios would generate some extra work for the helpdesk or associated teams to mitigate.

    Regards.

    adrian

    • Proposed as answer by Wendy Jiang Thursday, September 1, 2016 8:46 AM
    • Marked as answer by Wendy Jiang Friday, September 2, 2016 9:15 AM
    Monday, August 29, 2016 11:16 AM
  • Hi

     Yes,they can logon these offline laptops (at home) with cache credentials.Then when they connects laptops to domain again,computers sync with AD for password,gpo,etc...


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Wendy Jiang Thursday, September 1, 2016 8:46 AM
    • Marked as answer by Wendy Jiang Friday, September 2, 2016 9:14 AM
    Monday, August 29, 2016 10:34 AM
  • You missed the point,user logon with cache cridential to local computer(when computer not connected to domain.)so user can't access the domain resources during this period.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Selva_MSN Monday, January 16, 2017 1:35 PM
    Saturday, September 17, 2016 10:40 PM

All replies

  • Hi

     Yes,they can logon these offline laptops (at home) with cache credentials.Then when they connects laptops to domain again,computers sync with AD for password,gpo,etc...


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Wendy Jiang Thursday, September 1, 2016 8:46 AM
    • Marked as answer by Wendy Jiang Friday, September 2, 2016 9:14 AM
    Monday, August 29, 2016 10:34 AM
  • I concur with Burak, however, it would be interesting to understand your scenario a little better. Just being able to logon with cached credentials does not necessarily mean that applications will necessary work. For example, if you are an Exchange mailbox user, you will either be prompted for a username/password when opening Outlook/OWA, or will simply fail to connect.

    Also, if the computer is not connected to the domain for an extended period of time (30 days by default), then you will likely have problems when users connect the machines back to the domain when they come into the office next. This may or may not be desirable, but in most scenarios would generate some extra work for the helpdesk or associated teams to mitigate.

    Regards.

    adrian

    • Proposed as answer by Wendy Jiang Thursday, September 1, 2016 8:46 AM
    • Marked as answer by Wendy Jiang Friday, September 2, 2016 9:15 AM
    Monday, August 29, 2016 11:16 AM
  • As usual, I have missed one important thing:the password expired too.

    What happen to the laptop, if the new date and time cannot be retrieved from the Directory Services since the laptop is offline? Will the users be able to logon to the laptop? Thanks

    Monday, August 29, 2016 1:08 PM
  • I totally agree with you. There's also the chance to lock out the account since the cached and the new password don't correspond each other
    Monday, August 29, 2016 1:12 PM
  • What happen to the laptop, if the new date and time cannot be retrieved from the Directory Services since the laptop is offline? Will the users be able to logon to the laptop? >>> Stil same,users can logon with cache credentials during offline period.But users just able to logon to computer.Then if users needs to access OWA,other AD integrated apllication,etc... they can't access resources..

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Richard MuellerMVP Monday, August 29, 2016 3:31 PM
    • Marked as answer by Wendy Jiang Friday, September 2, 2016 9:15 AM
    • Unmarked as answer by Selva_MSN Saturday, September 17, 2016 8:32 AM
    Monday, August 29, 2016 1:14 PM
  • So you saying that in case of a password expired the domain laptop in offline mode (=not connected to the company network and then using the cached credentials) will accept the username's logon even if the related password is expired? Thanks
    Saturday, September 17, 2016 8:32 AM
  • Yes,users still logon with cache cridentials but already mentioned can't access OWA,applications with AD integrated,etc..

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Saturday, September 17, 2016 8:52 AM
  • What kind of security measure would permit someone to logon even if the password is expired? It doesn't make sense at all. Nonetheless,the password is cached as well as the expiration date... Sounds odd to me that the logon is still allowed
    Saturday, September 17, 2016 1:45 PM
  • You missed the point,user logon with cache cridential to local computer(when computer not connected to domain.)so user can't access the domain resources during this period.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Selva_MSN Monday, January 16, 2017 1:35 PM
    Saturday, September 17, 2016 10:40 PM