Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows VistaWindows XPWindows MeWindows 98Windows 95Virtual PCInternet ExplorerOutlook ExpressWindows MediaSecurity
Related Topics
MS Server ProductsMS OfficePC HardwareMore Topics ...
Windows Forum / Windows XP / Security and Administration / October 2008

Tip: Looking for answers? Try searching our database.

synchronizing domain user Local cached credentials with domain (VP

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Victor B - 14 Apr 2008 05:59 GMT
I am having problem finding a solution to an issue of capturing when a
locally cached credentials are out of sync with domain credentials. The user
is Windows 2003 using domain user account to access XP SP2 laptop when
offline.

Scenario is: We have mobile VPN users who connect to corporate network using
Cisco VPN client and when a password is set to expire and has to be renewed,
the user is prompted for a new password. User is then allowed access to the
corporate domain. The User now has a copy of their old password cached
locally and their network password has just been changed. Some time later a
small window bubble appears in the task bar, "Windows needs your current
credentials". For the technical savvy will lock their screen and logon on
using their new password.

The issue we are trying to address is finding a method to capture this
change (script the detection of the Window bubble, most users ignore or don't
understand what to do) and force the screen to lock or provide a a larger
popup window instructing the user how to sync their old locally cached
password with the new domain one. Ideally solution is automatically sync the
local password cache with the network one.

In short ideal solution would automatically synced locally cached
credentials with domain without  locking the computer screen. The other
option is scripting a solution to capture when the credentials are out of
sync and creating a process to help clearly inform the user what to do, or
force the screen to lock so new password must be used.

Are their any tools or a way to script the syncronize local cached password
to the domaiin once the password has been changed, and capture / log when
these passwords are out of sync.

Any Help or point me in the right direction would be very helpful.
Reply to this Message
Jagdeep P - 24 Apr 2008 18:28 GMT
1) Log into computer with old password
2) Connect to domain or vpn
3) Lock computer
4) unlock with new password which forces update with domain access.

> I am having problem finding a solution to an issue of capturing when a
> locally cached credentials are out of sync with domain credentials. The user
[quoted text clipped - 28 lines]
>
> Any Help or point me in the right direction would be very helpful.
Reply to this Message
Victor B - 28 Apr 2008 01:08 GMT
Thanks for the reply.

This is what a user needs to do at the moment but many users ignore the
windows taskbar bubble which would indicate that their password needs to be
syncronised. This becomes and issue where users are constantly travelling.

The solution I have put in place is to run a vbscript when the CISCO client
opens a connection. The script does the following:
    1. Wait until DHCP IP address is supplied by VPN connection
    2. Attempt to connect to domain Sysvol with users current credenitals
    3. No Error, Script Ends. Error in connecting to SysVol--
            3a. Force a Windows Popup with a personalised Message and
instruction
            3b. Once the Popup is closed, Desktop will automtically lock
and force the user to use their new password to unlock their screen.
            3c. Password Syncronisation completes, Script ends.

Not ideal but does provide a much clearer instruction to inform a user what
needs to happen and why.  

Victor

> 1) Log into computer with old password
> 2) Connect to domain or vpn
[quoted text clipped - 33 lines]
> >
> > Any Help or point me in the right direction would be very helpful.
Reply to this Message
Stephane - 06 May 2008 20:44 GMT
Hi Victor.

I have the same issue and agree with you. Even if the CTLR-ALT-DEL is easy
enough, 50% of our users are still calling for support. I like your solution
(not the best, but better). Would you mind emailing me your script?

Thanks

> Thanks for the reply.
>
[quoted text clipped - 55 lines]
> > >
> > > Any Help or point me in the right direction would be very helpful.
Reply to this Message
Victor B - 06 May 2008 23:46 GMT
Hi Stehpane,

This is the vbscript, use and change as needed.

' Script is used in conjuction with CSICO VPN client, and setting the
' VPN client application launcher to run this script.
' Process, VPN client will open a connection entry, the script starts
' Script will loop until an IP address (or quit after 5 minutes) is suppled
' by DHCP server and authenication is complete. The will then attempt open
an object
' to a file share (domain sysVol). If the object can not connect then
passwords
' are out of sync and a popup will display to lock the screen to sync domain
and local passwords
'
' Note: Connecting to Domain share is only attempted once more than this can
force a account
' lockout due to password not being in Sync.
'
---------------------------------------------------------------------------------
' Version: 1.0
' Date: 15 April 2008
' Author: Victor Bokulic
' Modification History:
'
'
------------------------------------------------------------------------------------

Dim oFSO, sFolderPath
Dim sResponse
Dim iKeepAlive, iCountdown, iSleepSec
Dim sMsgBoxInput, sMsgBoxTitle

iCountdown = 0
iKeepAlive = 100
iSleepSec = 3

sMsgBoxInput = GetLogged_on_Username & ": Local user password needs to be
updated"
sMsgBoxInput = sMsgBoxInput & vbCRLF & vbCRLF & "Please select OK and then
enter your UPDATED password to unlock your notebook"
sMsgBoxTitle = "Local User Password needs to be updated"

'change sfolderpath to a share on the local domain
sFolderPath = "\\full.domain.name.com\SysVol"

' Check for VPN Network adapter to be Enabled and given IP address"
Do Until TestVPNNetworkConnection() = "Enabled"

   WScript.Sleep iSleepSec * 1000
   ' Test if script has been running too long, iKeepAlive * iSleepSec
   If iCountdown < iKeepAlive then
       iCountdown = iCountdown +1
   Else
       ' Problem with VPN connection - taken too long, quit script
       WScript.Quit
   End If
Loop

'Test Folder Object Connection, error then local password cache is not the
same as domains
If TestFolderObject (sFolderPath) <> 0 then
   sResponse = MsgBox (sMsgBoxInput , 0 , sMsgBoxTitle)
   If sResponse = 1 then   ' Force Screen to Lock
       Set oWshShell = WScript.CreateObject("WScript.Shell")
       oWshShell.Run "RunDll32.exe user32.dll,LockWorkStation"
   End If
End If

Set oWshShell = Nothing

' --------------------------------------------------------------------------
' Verify VPN Network connection has IP address for local computer
' --------------------------------------------------------------------------
Function TestVPNNetworkConnection ()
   Dim oWMI, ColItems, oItem
   On Error Resume Next
   Set oWMI = GetObject("winmgmts:\\." )

   Set colItems = oWMI.ExecQuery _
      ("Select * From Win32_NetworkAdapterConfiguration Where IPEnabled =
True")

   For Each oItem in colItems
       If (oItem.Description) = "Cisco Systems VPN Adapter - Packet
Scheduler Miniport"  or _
          (oItem.Description) = "Cisco Systems VPN Adapter" then

           TestVPNNetworkConnection = "Enabled"
           Set oWMI = Nothing
           Exit For
       Else
           TestVPNNetworkConnection = "Disabled"
       End If
   Next

   Set oItem = Nothing
   Set ColItems = Nothing
   Set oWMI = Nothing
End Function
'=============================================================================
' --------------------------------------------------------------------------
' Function is a simple test if the local user can attached to a folder
' Function returns the error code, No Error = 0
' --------------------------------------------------------------------------
Function TestFolderObject (sFolderPath)
   On Error Resume Next

   Set oFSO = CreateObject("Scripting.FileSystemObject")

   Set oFolderObject = oFSO.GetFolder(sFolderPath)
   if Err.Number <> 0 then
      TestFolderObject = err.Number
      Err.Clear      ' Clear the error.
   Else
       TestFolderObject = 0
   End if

   Set oFolderObject = Nothing
   Set oFSO = Nothing

End Function
'=============================================================================
' --------------------------------------------------------------------------
' Function is to return the current user logged on
' Function returns the user's name
' --------------------------------------------------------------------------
Function GetLogged_on_Username()
   Dim oNet, sUsername
   On Error Resume Next
   Set oNet = CreateObject("WScript.NetWork")
   sUsername = oNet.UserName
   GetLogged_on_Username = sUsername
   Set objNet = Nothing 'Destroy the Object
End Function

:-) Victor B

> Hi Victor.
>
[quoted text clipped - 63 lines]
> > > >
> > > > Any Help or point me in the right direction would be very helpful.
Reply to this Message
Canni - 16 Oct 2008 22:29 GMT
Hello,

I am from Germany and I do have the same problem - but without CISC
VPN-Client. Our VPN-Client is not able to run a script.

What do you prefer? Running the (modified) script by task?

Thanks!
Cann

--
Cann

http://forums.techarena.i
Reply to this Message
Canni - 17 Oct 2008 21:48 GMT
Can someone help me, please? Thanks :-)

Signature

Canni

http://forums.techarena.in

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.