Password policies not honored when disconnected

It's funny how some things seem so obvious to many of us who work at the mothership that we don't seem to realize they are not obvious to others. A couple of days ago we received a report that password policies were not being honored when a domain member is not connected to the domain. Specifically, the "Maximum password age" setting was configured on the domain and the password had expired, but the user received no notification when logging on. The user was using a domain account that was cached on the client using the cached credentials ("Number of previous logons to cache" setting) feature.

Well, this was well known, at least to some, and it makes a lot of sense really. If the password has expired, you must create a new one. However, you cannot create a new one unless you are connected to a domain controller. Therefore, since you cannot create a new one, you do not get notified that the password has expired until you actually connect back to the domain. In other words, the "Maximum password age" setting is only honored when you are connected to the domain. If you log on to a disconnected client and subsequently reconnect, you will only get a prompt when you either log off and back on, or when you lock and unlock the system. If you run a network and find this unacceptable, you may want to consider using a script on your VPN server that prompts the user to change their password. This can be done using a post-connect script, for instance.

The same behavior happens with account lockout settings. Of course, IMNSHO, you should never set yourself up for a trivial denial of service by using account lockout anyway. Use good passwords instead, and you won't need to worry about account lockout.