How to reset passwords & update the local cached credentials for remote users
If you are not using a self-service solution to enable remote users to reset their passwords, you may want to find a workaround for when those passwords eventually expire. The problem lies in the local cached credentials. Normally, they allow users to be verified for authentication when a Domain Controller cannot be reached. When working remotely, it creates a problem when the password is changed or reset. The old credentials will still be cached, not automatically replaced by the new credentials using the new password. The user will be locked out of their account, or end up in a scenario where they need to remember both the old password, and the new password, which can be very confusing. This blog offers some workarounds for the password expiration problem.
Should you set passwords to never expire?
The obvious solution is to set passwords to never expire. Multiple authorities already claim that password expirations are a dying concept anyway. Of course, you may want to rethink this if there’s a chance that users are using vulnerable passwords. Before making this switch, use our free tool to check which accounts are using pwned passwords in Active Directory. The tool can also identify which accounts are using the same default passwords. You can use the information to encourage stronger passwords, before setting them to never expire.
Sending password expiration emails
If you need to enforce password expirations, you will need to ensure that remote users change their passwords prior to expiration, while connected to a VPN to the corporate network. You can do this by sending password expiration email reminders to users. Remember, many existing on-screen reminders will no longer work, even on VPN. Specops offers a free password notification tool that compares the pwdLastSet attribute with the maximum password age in the default domain policy, or fine-grained password policy, to send notification emails to users affected by a configured GPO. By encouraging users to change their passwords before they expire, you can prevent the cached credential problem altogether.
Remote password reset: Step-by-step
In the event that passwords expire, users will have to contact the Service Desk to reset their password. Does your Service Desk have a secure way to verify the user on the other side of the phone? Most organizations don’t have a secure process in place. If you are relying on manager names, employee IDs, or security questions, you are leaving the Service Desk vulnerable to social engineering attacks.
Once the Service Desk verifies the user, they can proceed to reset their password. When they do so, they will need to untick the “user must change password at next logon” box as it will further interfere with the cached credential problem, and the user will usually have no way to do this when working remotely. This poses a new security issue as the Service Desk will now know the user’s password. Additionally, since most Service Desk staff use default passwords during a password change, the password can be easily guessed if left unchanged.
Once the Service Desk has changed the password, the following will need to be communicated to the user. Depending on the technical proficiency of the user, it could be an additional barrier.
- Ensure that any device, e.g. mobile phone, attempting to connect to your account with the expired password, is turned off.
- Login to their machine with the expired (cached) password.
- Connect to the corporate VPN (usually this requires the new password set by the Service Desk)
- Use CTRL + Alt + Delete, Change Password and enter the password provided by the Service Desk.
- Create a new password that is unique, and not known by the Service Desk, and confirm it again.
- Lock the screen, and unlock the screen with your new password to synchronize the cached credentials with the credentials set on Active Directory.
If the user cannot remember the expired (cached) password, they will either have to bring the device into the office or try the following:
- Login with another account – usually a local admin account which may or may not be enabled
- Connect to the VPN with their username and newly reset password
- Hit Ctrl-Alt-Delete
- Change password
- Change the username to their domain user account
- Type their newly reset password in
- Type a new password in twice
- Hope they get the complexity rules correct
- Switch user
- Hope the VPN stays up
- Login with their regular AD account and new password
If the Service Desk is lucky, the user will be successful. If not, they will have to continue troubleshooting until the user is up and running again. While this is to be expected, it can be especially cumbersome when the entire organization is working remotely.
Update cached credentials with password reset
If you need to free-up IT resources, you will need a self-service solution to manage remote password resets. Our password reset tool allows users to securely reset their Active Directory passwords right from the Windows logon screen. The solution also prevents account lockouts by updating the local cached credential, even when a Domain Controller cannot be reached.
Contact us for more information about our password reset solution, or request a free trial.
(Last updated on June 27, 2022)