Remote users' domain Passwords expiring

so with everyone working at home, not connected to the domain, passwords are beginning to expire. I can change their 0365 password but the password on their laptops will remain the same until either they connect to our VPN or come onsite and connect to the domain. Since we’ve moved to O365 not very many are set up for VPN. I could remote to their computers and install VPN or ask them to go onsite just long enough to update their domain password. I could reset the password policy but that wouldn’t update the cached GPO on their laptops. I wish we had the option of user password reset from the cloud but we don’t since we are syncing on Prem AD to Azure lite.

Any ideas?

Don’t forget machine password expirations. They expire every 30 days by default, and if they aren’t changed (automatically) within 30 days of expiration the machine itself will need domain re-joined. And if you’re relying on WSUS, etc. for your updates that will also require VPN connectivity.

If you’re still a legacy on-prem AD and not Azure-AD First, then you’re going to need to somehow get those machines connected back to the mothership (VPN or LAN) periodically.

1 Like

That has not been my experience with machine account passwords. They can expire and will update the next time the system interacts with the domain. There are some caveats which are covered a little ways down in this article.

1 Like

On a side note, Microsoft recommends disabling password expiration.

https://docs.microsoft.com/en-us/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903

(May 2019)
“…Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance…”

1 Like

When it comes to notifying users that their passwords are going to expire soon, more communication is always better. Users do not enjoy the password change process; keeping them informed as to when their password will expire is a great way to improve their experience. This blog will provide an overview on how you can configure password expiration notification settings for Active Directory users.

Active Directory supports notifying users of upcoming password expiration, but only when they are logged into domain-joined client systems connected to the corporate network.

The configuration for these notifications lives in Group Policy, under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon: Prompt user to change password before expiration.

Either set this in your Default Domain Policy or create/use another GPO and configure how many days before expiration the user should be notified.

1 Like