Active Directory Account password sync over VPN possible ? RRS feed

  • Question

  • We have some users that work from home and their PC's are on the domain network maybe twice a year, however they VPN to work daily.

    When these users do come to the office to use another PC AD rightfully force them to change Password, when they get back to the PC they have at home this password is not accepted and they have to use old password to login to PC at home.

    This create discrepancy between current AD password and the domain joint PC at home that haven't been on work lan for ages.

    Is there a way to get PC that mostly connect to work over VPN to sync with AD ? so that they get GPOs, AD password etc ... ?

    Friday, October 9, 2015 10:36 AM

All replies

  • Hi,

    For the AD force to change password, I infer the Windows may apply some security group policy which cause it.

    If you are succeed changing your password in office, it is impossible that you use old password to connect the AD domain. It just exists one possibility that you used your cached credential to log on the account in home.

    To test the possibility, you can try to use the old password to access a shared folder in the domain. If the old password account is failed to access, it proves you are using cached account. The cache account is saved in your local machine and it did not be interactive with AD domain.


    After checking and sure that you are using cached account, you can try the steps in the link below to use the new password to log on successfully.


    Also, after you connect VPN, you can try to quit the domain first and then rejoin the domain again for test in home PC.

    Wish you have a nice day.


    Best Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, October 13, 2015 8:33 AM
  • I think you miss understood me.

    Yes the laptop that was off the work network during password change will use cached credentials, but when the user then connects to VPN, and can access work network, when the user then reboots the laptop, he will still need to used OLD Cached credentials to login, even after being connected to VPN.

    So in my understanding being on VPN will not force laptop to "sync" with AD to get new credentials, run gpo etc...

    is there a way of making it work over VPN ?

    Thursday, October 15, 2015 10:33 AM
  • Hi Vladimir,

    I understand your problem and I have never been able to solve it completely.

    The problem is with expired passwords which need to be reset. Password reset works well for users while they are connected to the domain locally, but it doesn't work when they connect remotely, over VPN.

    To solve this problem, you may need to purchase third party "Self service password reset" solution, or create such solution yourself. You may wish to do some more research on your own. Microsoft solution that may help you is System Center Service Manager 2012 R2 with Orchestrator. You may also need Microsoft Identity Manager.

    There are some ways you can work around the problem.

    1. VPN only users may have their user accounts configured with "Password Never Expires".

    2. You may create a script that will send email to users when password reset date comes near so that they can reset their passwords in timely manner before it expires.

    3. You may delegate "password reset" user right to non admin users, typically manager of the user. Manager can then reset user's password without notifying Service desk and opening a service request.

    4. I've got another idea but I did not test it. Perhaps you may expose a server or a workstation to which users will connect via Remote Desktop Protocol (RDP) from the Internet, but directly without VPN. When they try to log in with expired password, the system will (hopefully) prompt them to change the password.

    That's about all you can do. 

    Hope it helps you.

    • Edited by Les52 Thursday, October 15, 2015 11:57 AM
    Thursday, October 15, 2015 11:49 AM
  • Its not just passwords, its group policies, SCCM scans (hardware scan etc)... they all seems to ignore VPN connection.

    There must be a reason for this.

    I would hope for a GPO "Allow VPN Sync" but I doubt it would be that easy.

    Thursday, October 15, 2015 11:59 AM
  • Sorry, there's no such solution out-of-the-box.
    • Edited by Les52 Thursday, October 15, 2015 12:10 PM
    Thursday, October 15, 2015 12:09 PM
  • BTW, there is a GPO setting that denies log on with cached passwords, but I believe it would cause more problem then help.
    Thursday, October 15, 2015 12:11 PM
  • What worked for me:

    • Login to laptop using cached, old password.
    • Connect via VPN.
    • Open Command Prompt
    • Type 'runas /user:<DOMAIN>\<USERNAME> cmd'
    • Enter new password.
    • Close both Command Prompts.
    • Wait a few minutes. Shortly after, you should get the notification area pop-up with the set of keys icon with notice "Windows Needs Your Current Credentials
      Please lock this computer, then unlock it using your most recent password or smart card".
    • Locked the computer.
    • Unlock with new password.
    • Done.

    Maybe it was a coincidence the "Windows Needs Your Current Credentials" but I think typing the full <DOMAIN>\<USERNAME> forces the laptop to lookup in the closest DC for the latest credentials. I know this is an old post but maybe it will help someone as I was searching for the same answer but couldn't find one.

    • Proposed as answer by DBAONE Tuesday, January 22, 2019 4:29 PM
    Wednesday, December 13, 2017 9:50 PM
  • Thanks David, Runas worked for me.
    Monday, January 29, 2018 12:53 AM
  • Thanks. It worked for me too.
    Tuesday, February 20, 2018 4:42 AM
  • This worked perfectly. With out cred PW policy and a lot of remote users it is a common occurrence to have sync issues. Thank you for posting this.
    Tuesday, January 22, 2019 4:28 PM
  • I had a different situation: I could not logon to Windows with my normal AD account, it was not longer cached ("no logon servers available"). Dont't now why. Did this trick with runas with my normal AD account, logged of and was able to logon on to Windows with my normal AD account. It was cached again.


    Thursday, January 31, 2019 8:54 PM
  • Brilliant solutions, worked a treat. Thank you
    Monday, June 17, 2019 1:43 PM
  • You can simply connect to VPN, lock the computer with Windows Key + L, and then enter the newer password when logging back in. I do this once a month when I changed my password remotely.
    • Proposed as answer by Chris Leonard Thursday, August 20, 2020 4:27 PM
    Tuesday, July 30, 2019 5:22 PM
  • I've used this solution for a number of years.  Recently it has stopped working.  In fact, you cannot unlock the computer at all (old or new password) when connected to the VPN.

    Wednesday, December 18, 2019 3:09 PM
  • Doing this exact Scenario for a user in Chicago. We are based out of Florida. I tried the CMD - Run As...thing. It did not pop the Windows Needs you current credentials message. I am doing this on Windows 10. Normally before expiration users can to Ctrl-Alt-Delete and Change password that way or with our Password Reset Tool and its fine. Once expired we have to have them change it through Citrix which normally works perfectly. If not we change it and allow them to login to VPN with the temp password and then do a Gina or Password Reset Tool change, then go back and connect VPN with their new pwd and then lock and unlock their laptop and it usually works perfect that way too.

    My issue today is her laptop is not syncing and she is getting the trust relationship message. I would say eventually the laptop will get the Windows Credentials message but she cannot sit thre and stare at the laptop all day. Once it locks she has to reboot it and use her old credentials for Encryption and windows to log back in and start VPN again with her new credentials.

    Saturday, April 11, 2020 4:11 PM
  • It was a good idea David.Regal, but does mine not work that way because of which OS? I have Windows 7 Pro, and the AD server is Windows 2012 R2.

    I don't go to the office in the next city over because of the pandemic. When I do the runas command it still does not know the new password, requires old password. I can only use the new password when accessing domain fileshares remotely, or logging in another computer at the office via remote desktop.

    expertese by good resources, good practice, and good intuition

    Monday, April 13, 2020 5:58 PM
  • This also worked for me in the opposite scenario, where password was changed locally but changes not reflected on domain in shared folders, Office 365 etc.
    Tuesday, May 5, 2020 10:02 AM
  • How this will work if the user password has expired ? VPN won't connect if the password has expired.
    Tuesday, May 26, 2020 6:24 AM
  • Enable SSPR in office 365. 

    Once password expired, you can change the password in Office 365 using SSPR, this will allow you to connect to the VPN with new password, then lock your PC and unlock using new password. 

    Saturday, June 13, 2020 5:22 PM