HELP: Remote user can't log in to domain while disconnected.

[MysticLlama]

This one is driving me crazy.

It's happened more than once with this user, and I can't figure out what is causing it. She gets out of town with her laptop and then can't log in with her regular domain password. I've verified that she's logging in to the domain, not her local box, that she's using the right username and password.

Somehow her cached credentials blow up when she goes on a big trip. And it's not always the first day, or when she's out and about close to here, always right smack in the middle of a big trip.

The problem is that now she can't use her e-mail or anything because it's attached to her domain profile, not her local one. I need to syncronize the domain password between here and there to get it fixed and/or reset.

I have it available online right now connected to the VPN (over dialup, ick)

It's WindowsXP Pro and the tools at my disposal are the VPN and Remote Desktop, and I can do pretty much anything that doesn't require a person on the actual computer. She's in meetings and won't be back at the hotel until around 6ish.

Thanks in advance for any ideas.

 

[joker4hire]

It it just her user name?.. or do all usernames fail?

 

[MysticLlama]

I have three full time laptop users (they use docks while in the office) and her's is the only one that ever does this. The others work just fine. Because of that I don't think it's a group policy gone awry or anything.

 

[SaigonK]

Check to see how big her profile is.
I wonder if it is trying to pull it down for her....maybe a latent connection is the issue.

 

[MysticLlama]

It shouldn't be a profile thing, noone has roaming profiles at all, and I checked and hers is a local.

I think I may have fixed it...

With it logged in to the VPN, and remote desktop connectioned into it, I went to windows security (as her local user) and did a change password and it gave me a dropdown to pick the domain user. It connected okay with the domain controller, so I'm hoping it updated it on the laptop as well. I haven't heard anything from her yet, and that's usually a good thing.

 

[teqwiz]

Are you using BAP Protocol?
Multi link?
What Nos?

 

[Woodie]

There is a registry setting which tells the client how many logons to cache...is hers different from the others? (and is her usage pattern different from the other users?)
Is she getting a password expiration while she's away from the domain? Only if you force password changes. If so, have her change her password the day before she leaves on a trip.

Other than what was already posted, I have no ideas. Very odd behaviour.

 

[Saltin]

It is my opinion that laptop users should be logging in locally when they are away from the domain. You can easily set the properties of the local account to use the domain profile, just make sure the local account has the same username and password as the domain account.

Cached credentials are A Bad Thing, IMO.

 

[Woodie]

For once, I'll have to disagree with you Saltin.

While cached logins are a security risk, the disadvantages of local logins outweigh the advantages.

1. Maintaining two profiles (local + domain) --
2. User GPOs - only apply to the Domain account --
3. Multiple passwords: The domain one can be forced at intervals, while the local could be om a different cycle --
4. EFS - Because of the seperate profiles, makes it much more likely for the user to try and avoid EFS, which can be a significant benefit when trying to protect data on a laptop --
5. Using Outlook w/ Exchange and AD, can break email --

In general, the more you leverage W2K/XP with Active Directory, the less you want *any* local accounts.

OnTopic: When her machine stops working in the middle of a trip, and you fix it. When does it break again? Is it a time-related (number of days) thing?

 

[MysticLlama]

Well, I talked to her this morning and it's working just fine today, so I must have got it fixed.

The cause of it does still elude me though.

Her password is set to "never expire", and the only reason I did that was because of this problem. I was hoping it would get around it, but it's happened twice since I did that, so it's not an expiration thing.

Her usage is pretty much the same as anyone else, and it only happens on trips, it drives me crazy.

The one big problem that I encounter is her e-mail, since that's the only thing she wants to use for trips anyway. If she just wanted to log into the network and use our other stuff, that'd be easy, but noooo she wants e-mail for some reason.

I guess it gets me because her setup is exactly the same as the other two laptops, but is the only one that does it. I know she must be doing something to it, I just can't imagine what.