We have users working from home. They access the corporate network using cached logins via dial-up ISPs, and then use VPN (using Check Point VPN-1). The problem is that when a user's password expires on the domain, the user can no longer use remote access until he/she comes into the office and logs into the domain. Is there a mechanism to change a password after you have logged in (using the cached login)?
I think you have correctly identified the problem, the clients are using a cached password; they don't have a current domain logon. Here's what might be happening: the client is looking for the name of the primary domain controller (PDC) emulator in the domain and wants to establish an RPC (remote procedure call) connection with the Local Security Authority (
) on the PDC emulator. By default, LSA has no endpoint mapped for TCP/IP -- it works with named pipes. Clients logged onto the domain have no problem making a named pipes connection and changing their passwords. (Therefore, your folks go to the office and can do so -- they are logging on to the domain).
So, what can we do? Well, there is a registry tweak that you can try. However, remember all the dire warnings about modifying the registry and all that -- have a backup, etc. -- then change the registry on the PDC emulator in the domain. (Find the PDC emulator by using the netdom query FSMO command) the registry key is: HKLM SystemCurrentControlSetControlLSA. Add a value called TCPIPClientSupport with a data type of REG_DWORD and give it a value of 1. Then restart the PDC emulator.
I am told this value is case sensitive. You can read more about this problem by looking at KB article 236111. I don't know if there will be a problem with this over Check Point VPN-1. Let me know if this solves your problem.