Hey guys,

Currently we don't join laptops to our domain because of a lot of our employees work remote and our password policy. We have a password policy in place that might affect mobile laptop devices users since they are never in the office. How do you go about managing the policy and for users laptop that don't come into the office however VPN in. What happens if their password is changed on the workstation at work or OWA, but their laptop doesn't recognize the new password. Thoughts? Any feedback would be awesome. 

Hi,

>>What happens if their password is changed on the workstation at work or OWA, but their laptop doesn't recognize the new password

The passwords of domain users are stored in Active Directory database but not on local computers. If a computer is joined to a domain, and when a domain user logs on, the user is authenticated against one of domain controllers but not the local computer he or she is logging onto.  

Best regards,
Frank Shen

We join almost everything to our domain. (Local accounts are strongly discouraged in my organisation).

In your scenario, do your users not use the laptop at the office often? (they don't use it at the office and then take it home/away)?

Do they have more than one computer, and the laptop stays at home?

This can certainly cause the locally-cached password to become "out of sync" with the domain password for that user account.

In such cases, use the old/previous domain user\password to logon, then connect the VPN, then "lock" the screen, and that requires the current domain user\password to unlock. This causes the cached user\password to be re-cached with the latest password.

This assumes that your VPN solution retains the VPN connection during the screen-lock phase.

Similar challenges for those users who have multiple devices - eg phones, tablets and multiple computers - each device will have a cache, and each needs to be updated, either manually or via re-sync.

Or do I misunderstand?