I have a remote user. He works from home at his desktop computer (let's call it HOMEBOX) that is a member of our Window 2003 R2 domain. He logs on to his computer and is authenticated by cached settings, then he fires up a VPN connection to our office and runs remote desktop to connect to a computer (let's call it OFFICEBOX) in the office. Every six months he is required to change his password. So last week he changed his password on OFFICEBOX while in a RDP session over VPN from his HOMEBOX. He then disconnects and walks away. I believe the VPN tunnel is active. When he comes back, the screen is locked on HOMEBOX and he presses ctrl-alt-del and types in his new password to unlock the machine. It doesn't work, he gets a message that the password is wrong--it is not the password he had used to log onto his machine, so he tries his old password and then gets the message that the trust relationship between workstation and the domain has failed. The only thing he can do is restart his HOMEBOX computer. After restarting, he can login using his old password, but if he creates a VPN tunnel and steps away from his computer for an hour so the screen locks, the same thing happens again and he cannot unlock the computer with either password. He has to reboot again. He is tired of rebooting. I tried changing his domain password back his old one. That didn't work. If HOMEBOX was in the office it would authenticate him with real time domain settings, but HOMEBOX is 3000 miles away so I can't just have him bring it into the office. In the worst case I would simply remove HOMEBOX from the domain and then add it back. But I am not sure if that will work with the VPN connection. When he logs into HOMEBOX, it always uses cached settings to authenticate him, because he is only connected to the domain after establishing the VPN tunnel. Any suggestions? Thanks in advance.

The error indicates the machine has been unable to contact a domain controller for more than 30 days to reset its secure channel password. Unless the VPN is persistent (ie, established through an external device), joining computers to the domain in this fashion is not a good idea....unless you have the capability to upgrade to Windows Server 2008 R2 and Windows 7 clients, in which case you have better options. More than likely, if you look at the system event log on this machine, I would expect many netlogon errors. You can try this article to fix this particular error...but VPN connectivity will be required to do so... http://technet.microsoft.com/en-us/library/cc788073(WS.10).aspx In the future to prevent this, as soon as a password reset is performed, a command such as the following should be ran from homebox to update its cached password (lock and unlock will also work): runas /user:domain\user notepad.exe It will prompt for a password, they type in the new one, and the cache should be updated....Brandon Wilson - Premier Field Engineer (Platforms)

Thanks Brandon. I will look into netdom. I was able to solve the problem through a rather laborious series of steps. The VPN is not persistent BTW. 1. User loggged in to HOMEBOX using domain account and old PW and established the VPN connection. 2. I remoted in to HOMEBOX, logging in as localadmin and unjoined HOMEBOX from the domain. 3. User restarted HOMEBOX, logged in as localadmin, established VPN connection. 4. I remoted in to HOMEBOX, logging in as localadmin and rejoined HOMEBOX from the domain. 5. User restarted HOMEBOX, logged in as localadmin, established VPN connection. 6. I remoted in to HOMEBOX, logging in with user's domain account and then looged off. 7. User was then able to login to HOMEBOX using his domain account and new password.