Cisco VPN client software and Windows XP question

[crazyjw1971]

Greetings everyone...

My job recently started using Cisco VPN software to allow our users log in to the network when off site (USDA, Riverdale MD). Were running into a slight situation with domain passwords. Let me explain...

Customer gets a Work-At-Home (WAH) computer. We image it for him/her and log in with their current domain password. They take the computer home. After 45 days (I know thats quick right?), the customer is forced to change their domain password. Now the customer goes home and is forced to use their OLD domain password to get on the PC. They use their CURRENT domain password to get through the VPN and they are FORCED to enter their CURRENT domain password to access their network shares. The customer CANNOT change the domain password while at home because...

1. If they use the OLD password in the OLD PASSWORD line, you get OLD PASSWORD INCORRECT errors.

2. They cant use the current password in all lines. They will get the PASSWORDS ARE THE SAME error.

3. They CANT change the password for 14 days (per security policy). Now maybe they can after the 14 day period, but isnt that a HUGE hassle to put the customer though?

My question is...

Has anyone had this problem? If so, what did you do to resolve it?

[YeOldeStonecat]

Possibly change their local accounts on the WAH computers to match their new domain password...like, on that 45th day, when they change their domain password at the office...go home and change the local password to match?

[crazyjw1971]

I've received some possible suggestions to get this situation resolved. If one of them works, I will let y'all know.

[crazyjw1971]

Originally posted by YeOldeStonecat
Possibly change their local accounts on the WAH computers to match their new domain password...like, on that 45th day, when they change their domain password at the office...go home and change the local password to match?

That sounds like a good idea except the powers-that-be here want all the PC's to log on to the domain. No local accounts except the local admin account.

I did try to set the VPN client software to authenticate BEFORE allowing the user to log in. I also set it up to use third party dial-up software. All went OK until I noticed that the stupid dial-up software would not initialize. Sheeesh! Now I have to figure out why the dial-up software wont start. BTW... the dial-up software is from MCI (Access Manager).

[crazyjw1971]

TTT...

Any ideas? Anyone?

[BrNz]

Whenever dealing with MCI Access Manager - the answer seems to be:

Remove and re-install.

Why? The software is less then stellar.

Also check to see if there were some previous corp dialer access types like AT&T or the older MCI access (forgot) but I know that this will completely mess up the Access manager.

Good Luck

[dimb]

I just ran into the same problem. Users go home with company laptops and don't visit the office for some time. Their passwords expire on the domain, and they cannot VPN in until their password is changed.

Have you found a resolution?

[crazyjw1971]

If they are on broadband, go into the options, log in properties, and select ENABLE START BEFORE WINDOWS LOGON and then restart. When the user hit CTRL+ALT+DEL, the Cisco VPN software will come up. Have them log in with their VPN password and authenticate. Then have then log into Windows. If their connection is up, it will authenticate their LAN password through the VPN to the domain controller. This works for me. It MIGHT work for you. I still havent figured out the MCI side. I will try it tomorrow and let you know.