Interactive Logon and VPN

Philip Whitinger 1 Reputation point
2021-02-01T22:14:48.233+00:00

This is probably a silly question, but our users are working remotely and would like to get notifications for when their AD password is going to expire.

I was going to use the Group Policy "Interactive logon: Prompt user to change password before expiration". Based on the title of the policy, I am assuming this only causes a pop-up to show up when the user first logs in. Since the remote users' process is to 1) Login to their machine off the network and 2) Connect to the AD-authenticated VPN to connect to the network, I am guessing this policy wont work for them.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,847 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Falcon IT Services 286 Reputation points
    2021-02-01T23:14:03.43+00:00

    Hello Philip,

    You can have the Windows Desktop log in to VPN/AD directly without using cached credentials first. You should see an icon at the bottom of the login screen that allows you to do that. Microsoft VPN, Sonicwall SSL are two that I know work because I have done it. In this scenario, you should get the change password prompt since VPN connects first, then ADDS.

    You may want to consider implementing the new NIST guidelines for passwords which recommend not changing passwords unless the user suspects there has been a credentials breach. That might simplify things.

    If you don't see the option for network sign in, check the link below:

    https://social.technet.microsoft.com/Forums/en-US/f0478849-afaa-477d-bdbb-25f33d8e4d5b/connect-vpn-before-logon?forum=win10itpronetworking

    Miguel Fra
    https://www.falconitservices.com