Changing user domain password from computer outside of Corporate network without VPN

Question

While outside of the office and connected to the corporate VPN, I can use Ctrl-Alt-Del to change my password without issue. This appears to store a hash of my password on my laptop and I can later log into the laptop with the new password without first connecting to the VPN.

Below is a small snippet from the command "dsregcmd /status"

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES

Given the above "AzureAdJoined" being "YES". Should a user, who is not connected to our corporate VPN be able to use "Ctrl-Alt-Del" to reset their password and have the hash written to the laptop? This user has internet connectivity, just no VPN.

Currently when I try that, I get the message "Configuration information could not be read from the domain controller, either because the machines is unavailable, or access has been denied".

I want know if this is possible or is the VPN required at all times. Ideally, we don't want users relying on VPN to change their password when out of the office. This is mainly a concern for remote workers. I can use self service password reset (sspr) to reset the password but I still need to first connect to the VPN before I can log into the laptop. I appreciate the feedback.

Answer 1

Hi,

It's not possible to change the on prem password without line of sight to the domain controller.

You need the VPN to be connected for this.

You can change your password in Azure AD but you still need the VPN to sync the password from on prem DC to the laptop.

Hope this helps!

Answer 2

Would Password write back (with Password Hash Synchronization -PHS) enabled in Azure AD connector help in this scenario?
I've have similar situation to SecJedi. We don't want users relying on VPN to change their password when out of the office.

Answer 3

Bivash Barua, the password can sync back to Active Directory but not to the laptop until it connects to the VPN or be in the office network.