none
AD User Password Expiration and Account Disable Questions RRS feed

  • Question

  • I have two situations and I have some thoughts but wanted some assistance.

    1.) Max Password Age set to 90 days. User is remote. Password expires while laptop is NOT connected to the domain network. From what I understand, the cached creds will work indefinitely on the local machine and if they VPN in again (RSA and user cert auth,) they will be prompted to change their password and not allowed to connect to domain resources until the password changes. I am not certain if this is correct or not, though.

    2.) If a user is working remotely and connected to the domain network via VPN and while they are connected to the domain, their domain account is disabled, they will no longer be able to log into their laptop, even off domain. Again, I'm not certain if this is correct and looking for some assistance.

    Thanks in advance!

    WB

    Friday, June 26, 2020 3:41 PM

Answers

  • Yes, user can't access the Domain resource without changing the Password after expired password 

    and yes, disabled users can't access Domain, AD won't authenticate disabled users

    https://www.windowstricks.in/2018/08/powershell-command-to-the-get-account-expiration-date-extract-user-list-which-expire-in-a-week-time.html


    Regards,
    Ganesamoorthy.S
    www.windowstricks.in)


    • Marked as answer by WBrady1965 Monday, July 13, 2020 2:55 PM
    Friday, June 26, 2020 4:27 PM
  • Hello,

    Thank you for posting in our TechNet forum.

    I did the test in my lab. Below is the result.

    1, If the user account is disabled, it could not sign in to get to domain resource since the account is disabled as shown below. 



    2, If the user account is disabled, and the machine is disconnected from the domain network, the user could sign in with domain name\user account. Once connecting to the network again, the user could not sign in since the account has been disabled.

    Hope the information is helpful. For any question, please feel free to contact us.


    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by WBrady1965 Monday, July 13, 2020 2:54 PM
    Monday, June 29, 2020 5:04 AM

All replies

  • Yes, user can't access the Domain resource without changing the Password after expired password 

    and yes, disabled users can't access Domain, AD won't authenticate disabled users

    https://www.windowstricks.in/2018/08/powershell-command-to-the-get-account-expiration-date-extract-user-list-which-expire-in-a-week-time.html


    Regards,
    Ganesamoorthy.S
    www.windowstricks.in)


    • Marked as answer by WBrady1965 Monday, July 13, 2020 2:55 PM
    Friday, June 26, 2020 4:27 PM
  • Thanks for confirming my first question!

    For the disabled user part, what I'm trying to understand is if the user's laptop is ON the domain when the account is disabled, while they obviously can't get to domain resources at that point, can they disconnect the laptop from the domain network and still be able to log in locally with cached credentials or is there something in the cached credentials that knows the account is disabled. Does that make sense?

    • Proposed as answer by Miguel Fra Saturday, June 27, 2020 3:10 PM
    • Unproposed as answer by Miguel Fra Saturday, June 27, 2020 3:10 PM
    Friday, June 26, 2020 4:46 PM
  • Hello WBrady,

    Create a GPO for terminated employees. Make sure that in the GPO, caching credentials are set to zero (to disallow). While the user is still connected/employed, move them to that GPO, then disable the account. This will prevent them from logging in with cached credentials.


    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     




    • Edited by Miguel Fra Sunday, June 28, 2020 3:59 PM
    Saturday, June 27, 2020 3:25 PM
  • Hi,

    I suggest you best method 

    1.) After imaging the laptop, Don't do domain join for remote workers. keep it in work group.

    2.) After connecting VPN ask them to use to VDI for office use.

    3.) once remote workers left organization just delete the id immediately. 

    4.) if you disable the remote workers id some one can able enable it mistakenly.

    Sunday, June 28, 2020 2:39 PM
  • Hello,

    Thank you for posting in our TechNet forum.

    I did the test in my lab. Below is the result.

    1, If the user account is disabled, it could not sign in to get to domain resource since the account is disabled as shown below. 



    2, If the user account is disabled, and the machine is disconnected from the domain network, the user could sign in with domain name\user account. Once connecting to the network again, the user could not sign in since the account has been disabled.

    Hope the information is helpful. For any question, please feel free to contact us.


    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by WBrady1965 Monday, July 13, 2020 2:54 PM
    Monday, June 29, 2020 5:04 AM
  • Hello,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    Thank you so much for your time and support.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 1, 2020 10:16 AM
  • Hello,

    Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?

    Thank you so much for your time and support.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 6, 2020 6:59 AM
  • Hannah,

    Thanks for that second piece of information!

    WB

    Monday, July 13, 2020 2:57 PM