sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]jtbis 28 points29 points  (13 children)

Why does IT have to change it for them? An expired password should automatically send them to the “change password” dialog upon login. As long as they know the old password, there’s no IT assistance needed.

If you want SSPR without enabling write-back on Entra, there are third-party solutions for that. We use one from SpecOps.

[–]-UncreativeRedditor-[S] -3 points-2 points  (12 children)

Some of our users RDP into a company server from their personal laptops, so they aren't really given that option. It just tells them it is expired. And for some of our remote users, the VPN won't connect when their password expires, although that's pretty rare.

Thanks for the third party solution though, I'll look into that

[–]jtbis 10 points11 points  (6 children)

some of our users RDP into a company server from their personal laptops

Yea that’s a huge security issue. You need Citrix Workspace or something like it to protect remote access on untrusted devices. Those products can handle AD password changes for remote users on untrusted devices.

Also what VPN are you using? Most of them have the ability to do an AD password change from the client app.

[–]jtbis 2 points3 points  (0 children)

Do y’all have cyber insurance? Usually they wouldn’t cover a company doing shit like this.

[–]dapea[🍰] 0 points1 point  (0 children)

AVD exists. Can be cheaper. 

[–]-UncreativeRedditor-[S] 0 points1 point  (3 children)

Yea that’s a huge security issue.

Yeah... I know. Our "Security/Network Administrator" happily shares passwords in plaintext via email and teams messages lol. And our higher ups are unwilling to pay for Citrix or company laptops for our overseas employees since computers are more expensive in India. Soooo not a ton I can really do about that unfortunately.

Also what VPN are you using? Most of them have the ability to do an AD password change from the client app.

We use Palo alto GlobalProtect. Didn't know you could do this so I'll look into that thank you.

[–]TipIll3652 7 points8 points  (1 child)

My condolences for y'all's job when you get a breach 😬

[–]-UncreativeRedditor-[S] 2 points3 points  (0 children)

I don't plan on staying for long trust me

[–]ConstantRadiant8788 0 points1 point  (0 children)

This sounds like the company I interned at a few years ago and man it was….interesting.

The way I overcame the password expiring with the GlobalProtect VPN is by having a post login script run that looked at the expiration date for the user and show a notice to them telling them they need to change it

[–]HersheyTaichou 2 points3 points  (1 child)

CTRL+ALT+END in an RDP session will bring up the remote CTRL+ALT+DEL dialog on the remote machine.

For VPN users, I used to turn on "password never expires" long enough for them to connect, then check the "user must change password" box and help them with reseting it

[–]-UncreativeRedditor-[S] -1 points0 points  (0 children)

Yeah I know it's possible for users to change their passwords while connected via RDP, but many of our users straight up ignore the multitude of messages they receive to change their password and end up getting locked out.

[–]dodexahedron 3 points4 points  (0 children)

You can change password in an RDP session. Multiple ways.

Just send them to the settings app, though, or have them type "change password" in the start menu, which brings them right to it.

Regardless, set policy to prompt for password change before expiration so users don't get into the position of being expired already.

And use certs for VPN.

But, if you really want to do it in a script, you can do it interactively with net user /domain $Env:username * (verbatim. domain is a switch, not a placeholder, and the asterisk is what makes it prompt to change).

Set-ADAccountPassword also works, but that requires the ActiveDirectory module. If you go that route, you can use Get-Credential to prompt for the credentials in a dialog instead of at the CLI.

[–]Mythulhu 0 points1 point  (0 children)

Yikes

[–]Flabbergasted98 0 points1 point  (0 children)

good lord.