synchronizing domain user Local cached credentials with do..

Thanks for the reply.

This is what a user needs to do at the moment but many users ignore the
windows taskbar bubble which would indicate that their password needs to be
syncronised. This becomes and issue where users are constantly travelling.

The solution I have put in place is to run a vbscript when the CISCO client
opens a connection. The script does the following:
1. Wait until DHCP IP address is supplied by VPN connection
2. Attempt to connect to domain Sysvol with users current credenitals
3. No Error, Script Ends. Error in connecting to SysVol--
3a. Force a Windows Popup with a personalised Message and
instruction
3b. Once the Popup is closed, Desktop will automtically lock
and force the user to use their new password to unlock their screen.
3c. Password Syncronisation completes, Script ends.

Not ideal but does provide a much clearer instruction to inform a user what
needs to happen and why.

Victor

"Jagdeep P" wrote:

>
> 1) Log into computer with old password
> 2) Connect to domain or vpn
> 3) Lock computer
> 4) unlock with new password which forces update with domain access.
>
> "Victor B" wrote:
>
> > I am having problem finding a solution to an issue of capturing when a
> > locally cached credentials are out of sync with domain credentials. The user
> > is Windows 2003 using domain user account to access XP SP2 laptop when
> > offline.
> >
> > Scenario is: We have mobile VPN users who connect to corporate network using
> > Cisco VPN client and when a password is set to expire and has to be renewed,
> > the user is prompted for a new password. User is then allowed access to the
> > corporate domain. The User now has a copy of their old password cached
> > locally and their network password has just been changed. Some time later a
> > small window bubble appears in the task bar, "Windows needs your current
> > credentials". For the technical savvy will lock their screen and logon on
> > using their new password.
> >
> > The issue we are trying to address is finding a method to capture this
> > change (script the detection of the Window bubble, most users ignore or don't
> > understand what to do) and force the screen to lock or provide a a larger
> > popup window instructing the user how to sync their old locally cached
> > password with the new domain one. Ideally solution is automatically sync the
> > local password cache with the network one.
> >
> > In short ideal solution would automatically synced locally cached
> > credentials with domain without locking the computer screen. The other
> > option is scripting a solution to capture when the credentials are out of
> > sync and creating a process to help clearly inform the user what to do, or
> > force the screen to lock so new password must be used.
> >
> > Are their any tools or a way to script the syncronize local cached password
> > to the domaiin once the password has been changed, and capture / log when
> > these passwords are out of sync.
> >
> > Any Help or point me in the right direction would be very helpful.

Hi Victor.

I have the same issue and agree with you. Even if the CTLR-ALT-DEL is easy
enough, 50% of our users are still calling for support. I like your solution
(not the best, but better). Would you mind emailing me your script?

Thanks

"Victor B" wrote:

> Thanks for the reply.
>
> This is what a user needs to do at the moment but many users ignore the
> windows taskbar bubble which would indicate that their password needs to be
> syncronised. This becomes and issue where users are constantly travelling.
>
> The solution I have put in place is to run a vbscript when the CISCO client
> opens a connection. The script does the following:
> 1. Wait until DHCP IP address is supplied by VPN connection
> 2. Attempt to connect to domain Sysvol with users current credenitals
> 3. No Error, Script Ends. Error in connecting to SysVol--
> 3a. Force a Windows Popup with a personalised Message and
> instruction
> 3b. Once the Popup is closed, Desktop will automtically lock
> and force the user to use their new password to unlock their screen.
> 3c. Password Syncronisation completes, Script ends.
>
> Not ideal but does provide a much clearer instruction to inform a user what
> needs to happen and why.
>
> Victor
>
> "Jagdeep P" wrote:
>
> >
> > 1) Log into computer with old password
> > 2) Connect to domain or vpn
> > 3) Lock computer
> > 4) unlock with new password which forces update with domain access.
> >
> > "Victor B" wrote:
> >
> > > I am having problem finding a solution to an issue of capturing when a
> > > locally cached credentials are out of sync with domain credentials. The user
> > > is Windows 2003 using domain user account to access XP SP2 laptop when
> > > offline.
> > >
> > > Scenario is: We have mobile VPN users who connect to corporate network using
> > > Cisco VPN client and when a password is set to expire and has to be renewed,
> > > the user is prompted for a new password. User is then allowed access to the
> > > corporate domain. The User now has a copy of their old password cached
> > > locally and their network password has just been changed. Some time later a
> > > small window bubble appears in the task bar, "Windows needs your current
> > > credentials". For the technical savvy will lock their screen and logon on
> > > using their new password.
> > >
> > > The issue we are trying to address is finding a method to capture this
> > > change (script the detection of the Window bubble, most users ignore or don't
> > > understand what to do) and force the screen to lock or provide a a larger
> > > popup window instructing the user how to sync their old locally cached
> > > password with the new domain one. Ideally solution is automatically sync the
> > > local password cache with the network one.
> > >
> > > In short ideal solution would automatically synced locally cached
> > > credentials with domain without locking the computer screen. The other
> > > option is scripting a solution to capture when the credentials are out of
> > > sync and creating a process to help clearly inform the user what to do, or
> > > force the screen to lock so new password must be used.
> > >
> > > Are their any tools or a way to script the syncronize local cached password
> > > to the domaiin once the password has been changed, and capture / log when
> > > these passwords are out of sync.
> > >
> > > Any Help or point me in the right direction would be very helpful.

Hi Stehpane,

This is the vbscript, use and change as needed.

' Script is used in conjuction with CSICO VPN client, and setting the
' VPN client application launcher to run this script.
' Process, VPN client will open a connection entry, the script starts
' Script will loop until an IP address (or quit after 5 minutes) is suppled
' by DHCP server and authenication is complete. The will then attempt open
an object
' to a file share (domain sysVol). If the object can not connect then
passwords
' are out of sync and a popup will display to lock the screen to sync domain
and local passwords
'
' Note: Connecting to Domain share is only attempted once more than this can
force a account
' lockout due to password not being in Sync.
'
---------------------------------------------------------------------------------
' Version: 1.0
' Date: 15 April 2008
' Author: Victor Bokulic
' Modification History:
'
'
------------------------------------------------------------------------------------


Dim oFSO, sFolderPath
Dim sResponse
Dim iKeepAlive, iCountdown, iSleepSec
Dim sMsgBoxInput, sMsgBoxTitle

iCountdown = 0
iKeepAlive = 100
iSleepSec = 3

sMsgBoxInput = GetLogged_on_Username & ": Local user password needs to be
updated"
sMsgBoxInput = sMsgBoxInput & vbCRLF & vbCRLF & "Please select OK and then
enter your UPDATED password to unlock your notebook"
sMsgBoxTitle = "Local User Password needs to be updated"

'change sfolderpath to a share on the local domain
sFolderPath = "\\full.domain.name.com\SysVol"

' Check for VPN Network adapter to be Enabled and given IP address"
Do Until TestVPNNetworkConnection() = "Enabled"

WScript.Sleep iSleepSec * 1000
' Test if script has been running too long, iKeepAlive * iSleepSec
If iCountdown < iKeepAlive then
iCountdown = iCountdown +1
Else
' Problem with VPN connection - taken too long, quit script
WScript.Quit
End If
Loop

'Test Folder Object Connection, error then local password cache is not the
same as domains
If TestFolderObject (sFolderPath) <> 0 then
sResponse = MsgBox (sMsgBoxInput , 0 , sMsgBoxTitle)
If sResponse = 1 then ' Force Screen to Lock
Set oWshShell = WScript.CreateObject("WScript.Shell")
oWshShell.Run "RunDll32.exe user32.dll,LockWorkStation"
End If
End If

Set oWshShell = Nothing

' --------------------------------------------------------------------------
' Verify VPN Network connection has IP address for local computer
' --------------------------------------------------------------------------
Function TestVPNNetworkConnection ()
Dim oWMI, ColItems, oItem
On Error Resume Next
Set oWMI = GetObject("winmgmts:\\." )

Set colItems = oWMI.ExecQuery _
("Select * From Win32_NetworkAdapterConfiguration Where IPEnabled =
True")

For Each oItem in colItems
If (oItem.Description) = "Cisco Systems VPN Adapter - Packet
Scheduler Miniport" or _
(oItem.Description) = "Cisco Systems VPN Adapter" then

TestVPNNetworkConnection = "Enabled"
Set oWMI = Nothing
Exit For
Else
TestVPNNetworkConnection = "Disabled"
End If
Next

Set oItem = Nothing
Set ColItems = Nothing
Set oWMI = Nothing
End Function
'=============================================================================
' --------------------------------------------------------------------------
' Function is a simple test if the local user can attached to a folder
' Function returns the error code, No Error = 0
' --------------------------------------------------------------------------
Function TestFolderObject (sFolderPath)
On Error Resume Next

Set oFSO = CreateObject("Scripting.FileSystemObject")

Set oFolderObject = oFSO.GetFolder(sFolderPath)
if Err.Number <> 0 then
TestFolderObject = err.Number
Err.Clear ' Clear the error.
Else
TestFolderObject = 0
End if

Set oFolderObject = Nothing
Set oFSO = Nothing

End Function
'=============================================================================
' --------------------------------------------------------------------------
' Function is to return the current user logged on
' Function returns the user's name
' --------------------------------------------------------------------------
Function GetLogged_on_Username()
Dim oNet, sUsername
On Error Resume Next
Set oNet = CreateObject("WScript.NetWork")
sUsername = oNet.UserName
GetLogged_on_Username = sUsername
Set objNet = Nothing 'Destroy the Object
End Function



Victor B


"Stephane" wrote:

> Hi Victor.
>
> I have the same issue and agree with you. Even if the CTLR-ALT-DEL is easy
> enough, 50% of our users are still calling for support. I like your solution
> (not the best, but better). Would you mind emailing me your script?
>
> Thanks
>
> "Victor B" wrote:
>
> > Thanks for the reply.
> >
> > This is what a user needs to do at the moment but many users ignore the
> > windows taskbar bubble which would indicate that their password needs to be
> > syncronised. This becomes and issue where users are constantly travelling.
> >
> > The solution I have put in place is to run a vbscript when the CISCO client
> > opens a connection. The script does the following:
> > 1. Wait until DHCP IP address is supplied by VPN connection
> > 2. Attempt to connect to domain Sysvol with users current credenitals
> > 3. No Error, Script Ends. Error in connecting to SysVol--
> > 3a. Force a Windows Popup with a personalised Message and
> > instruction
> > 3b. Once the Popup is closed, Desktop will automtically lock
> > and force the user to use their new password to unlock their screen.
> > 3c. Password Syncronisation completes, Script ends.
> >
> > Not ideal but does provide a much clearer instruction to inform a user what
> > needs to happen and why.
> >
> > Victor
> >
> > "Jagdeep P" wrote:
> >
> > >
> > > 1) Log into computer with old password
> > > 2) Connect to domain or vpn
> > > 3) Lock computer
> > > 4) unlock with new password which forces update with domain access.
> > >
> > > "Victor B" wrote:
> > >
> > > > I am having problem finding a solution to an issue of capturing when a
> > > > locally cached credentials are out of sync with domain credentials. The user
> > > > is Windows 2003 using domain user account to access XP SP2 laptop when
> > > > offline.
> > > >
> > > > Scenario is: We have mobile VPN users who connect to corporate network using
> > > > Cisco VPN client and when a password is set to expire and has to be renewed,
> > > > the user is prompted for a new password. User is then allowed access to the
> > > > corporate domain. The User now has a copy of their old password cached
> > > > locally and their network password has just been changed. Some time later a
> > > > small window bubble appears in the task bar, "Windows needs your current
> > > > credentials". For the technical savvy will lock their screen and logon on
> > > > using their new password.
> > > >
> > > > The issue we are trying to address is finding a method to capture this
> > > > change (script the detection of the Window bubble, most users ignore or don't
> > > > understand what to do) and force the screen to lock or provide a a larger
> > > > popup window instructing the user how to sync their old locally cached
> > > > password with the new domain one. Ideally solution is automatically sync the
> > > > local password cache with the network one.
> > > >
> > > > In short ideal solution would automatically synced locally cached
> > > > credentials with domain without locking the computer screen. The other
> > > > option is scripting a solution to capture when the credentials are out of
> > > > sync and creating a process to help clearly inform the user what to do, or
> > > > force the screen to lock so new password must be used.
> > > >
> > > > Are their any tools or a way to script the syncronize local cached password
> > > > to the domaiin once the password has been changed, and capture / log when
> > > > these passwords are out of sync.
> > > >
> > > > Any Help or point me in the right direction would be very helpful.

Hello,

I am from Germany and I do have the same problem - but without CISCO
VPN-Client. Our VPN-Client is not able to run a script.

What do you prefer? Running the (modified) script by task?

Thanks!
Canni


--
Canni
------------------------------------------------------------------------
Canni's Profile: http://forums.techarena.in/members/canni.htm
View this thread: http://forums.techarena.in/windows-security/950161.htm

http://forums.techarena.in

Can someone help me, please? Thanks


--
Canni
------------------------------------------------------------------------
Canni's Profile: http://forums.techarena.in/members/canni.htm
View this thread: http://forums.techarena.in/windows-security/950161.htm

http://forums.techarena.in

Click Start, Run and type GPEDIT.MSC
Under computer configuration, expand \administrative
templates\system\logon\.
Select the "Always wait for the network at computer startup" value.
The default state is "not configured". Set this to "On"


reboot, then VPN in and lock the workstation and unlock with new
password.


--
JeffreyR
------------------------------------------------------------------------
JeffreyR's Profile: http://forums.techarena.in/members/jeffreyr.htm
View this thread: http://forums.techarena.in/windows-security/950161.htm

http://forums.techarena.in