Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 811 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Windows Ad/Domain password expired

Simplified Sam

Hello,

what option does a User who is completly working from remote, to change his AD/Windows Password?
(the credentials should be write back to the machine, so all Apps like outlook and next login has the new password.)

Or do Admins now days set the password to not expire, since it's safe?

The only option i could think of is open firewall ports from vpn to the domain controller, but that sounds dangerous to me.



This thread was automatically locked due to age.
  • 0

    Are they using remote desktop, or just file and app access. Is the desktop itself authenticating against AD? 

    If the Desktop's sign in is against active directory, or they are using remote desktop, you can have them CTRL ALT DEL/CTRL ALT END (If remote desktop) and change the password from there. 

    This is what we do at our company, and personnel have reminders in their phone to change their password every _ days.

  • 0

    If your remote devices are windows domain members, they should have access to a DC while connected.

    They need policies, updates, "machine password changes" and much more.

    So password-changes should be possible for users using these devices too.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to Nathan McKay

    We got both, we have users who just connect to get their mails.

    But also users, who connect and use RDP, usally these users does not have domain joined pc at home.
    Our technicans are always outside our country, and we have policy which let their password expire.

    Currently there are no firewall ports open, and yes i know you can do that trick over rdp, but the machine will not get the credentials back. (And sometimes after expiration you can log into vpn.)

  • 0 in reply to dirkkotte

    Yeah but how? The ports to the domain controller are usally closed, i thought there is a safer way, which uses the Sophos XG as forwarding.
    (The people are connecting to open wifi like from hotel or customer and i dont want the domain controller easily be access.)

  • 0 in reply to Simplified Sam

    We also have script running in background which reminds the people to change their password (14 days before, evry day once), but you know the people they ignore it :) And then they are blocked out if the password expires, cant log in anymore and stuff like that. As Administrator this is something should be automated at least.

  • 0

    I would challenge this concept by looking into modern technologies. 

    Microsoft addressed this question by using Azure AD with the Microsoft Client. No need to interact with a on prem AD (which makes the entire conversation obsolete). 

    Then you can top this design with other technologies like intunes or other software deployments. 

    In the end could you replace VPN by approaches like ZTNA, which goes integrated in such technologies above. The end state will be: Users can work from home like they work in the company - Zero changes and zero VPN. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    We are small company, which are sadly on premise, so hybrid option are a no go.
    (The users have notebooks which are domain joined, not sure how you could do this with complete sepearte domain.)

    Could you explain how ztna works? If i understand correctly you got client on each pc, which connects to sophos cloud, and sophos cloud is connect with our servers over server-client? And the benefit of ztna is, that i have the connection only for the application and not for the entire vpn network?

    (And the current internet provider is not fast enough or reliable for us right now.)

Unfiltered HTML