Peter - we have, it seems, a similar problem... I'm wondering if you
can shed some light. I've been pulling my hair out to find any solution
to our conundrum.

We have remote users with Windows XP (SP1 currently, as SP2 caused some
problems for us) laptops. They are set up here in our corporate network
to the ARTESYN Windows NT domain.

When in the main office, they use them just as any other domain
workstation, logging in as themselves to the ARTESYN domain.

When out of the main office, they first log in to the laptop as
ARTESYN\username (even though the laptop cannot talk at that point to
any domain controllers), which allows this because XP caches the domain
credentials. They then use a Cisco VPN to connect to our main office
and map network drives, use Remote Desktop to our Windows 2003 terminal
server, connect to Exchange, etc.

However, the problem comes when they have to update their password
(every 90 days). We have them update their ARTESYN domain passwords by
connecting via Remote Desktop to our terminal server. This works fine.

However, the problem comes in that they still have to use their OLD
domain password to log into their local laptop (as the laptop is not
connected to the domain until AFTER the login).

Unfortunately, I can't seem to find any information on how to get
Windows XP to update the cached credentials so it will accept their
updated domain password when logging into their laptop. It only accepts
their old domain password.

When doing this, I can map a drive to a Windows share, using the new
domain password, but the local XP laptop does not seem to update the
local cache when this happens.

This causes all sorts of problems, not the least of which is the user
has to remember two passwords until the time comes when that laptop is
actually on the local network, and part of the domain BEFORE the user
logs in.

The only solution I can think of is to have these users log in to a
local account rather than their ARTESYN domain account. Of course, we'd
prefer not to have to do this, so they have a seamless experience
whether they are on our main network or connected remotely via VPN.

So, is there any way to tell XP to update its cached DOMAIN\username
password against the updated DOMAIN\username?

We have exactly the same problem! Only difference with us is that we use Radius with Expiry on our VPN, so when logging into the VPN Concentrator, our users are prompted to change their password. This is done using MS-CHAPv2 so I thought it should synchronize the local cached password with the new domain password. However, it does not. Struggling to find an answer..... If you hear anything, please let me know. -- kstrahan ------------------------------------------------------------------------ Posted via http://www.webservertalk.com ------------------------------------------------------------------------ View this thread: http://www.webservertalk.com/message948098.html

Immediately after the users change their password instruct them to lock
their computer with control - alt -delete and then unlock their computer
with their new password. That may refresh their cached credentials. It has
worked for me though there are a lot of ways to configure a VPN and your
mileage may vary. --- Steve


Show quoteHide quote

Norton AntiVirus Version Number Deception?
Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON
Applied a security policy to standalone XP and strange outcome
Renaming W2K AD Administrator Account
empty ACL on file (?)