Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
pmarsh

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 64
Reply with quote  #1 
I'm configuring SSPR for O365 and AD Connect.  This will enable users to reset their passwords when out of the office (not on the domain).

If a user changes the password while out of the domain they will have 2 passwords.
The first will be the cached password when logging into the machine and the second will be authenticating to O365 via AD Connect.

Once they are back on the domain the cached password will be updated to the new password and everything is happy happy.

Is there a way now other than a VPN to update the cached password?  I see user confusion coming down the pipe.  

Is there direction from MS that it's a feature they are working on or maybe it exists now and I don't know.

TIA
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 892
Reply with quote  #2 
Simple answer no.

More complex answer - not easily without a VPN.
You could look to deploy Direct Access, if the business is big enough/ you want to change the VPN Solution ( I say DA as there is less end user interaction therefore less end user issues)
But not 100% ideal.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
lady_mcse

Avatar / Picture

Senior Member
Registered:
Posts: 103
Reply with quote  #3 
I sure would hate for you to hold me to this, but I work remotely 100% of the time, and I could swear that my last password change was way easier with O365 in place.  We're using 2 factor auth, so I regularly have to accept a validation from a phone app, but I sort of think that once I was validated to the portal.office.com through a browser and my mobile app, all I had to do was lock & unlock my workstation for everything to synch up. 

Now I do also have VPN access, so it's possible my rusty brain is failing me here, but I'm pretty sure I was exploring the boundaries of laziness for the purposes of simulating what other end-users have to do (e.g. not doing VPN unless I absolutely had to). 
0
Wes

Senior Member
Registered:
Posts: 232
Reply with quote  #4 
DA ftw
0
pmarsh

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 64
Reply with quote  #5 
Thank you folks for the input, much appreciated.

Per MS support there is a thing called Azure Active Directory Join that is supposed to address this problem https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-overview

Documentation as always these days is all over the place and gives you a million different options for a million different scenarios.  Following the threads in each doc I land on the following steps.

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup

HOLY CRAP  I've been doing working with MS environments since NT this is the most complicated and confusing thing I think I've ran into over the years.........  as the kids would say FML
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 892
Reply with quote  #6 
Anne - You have a VPN in place...
Paul - I have a particular hatred for Azure AD Joined for machines that could be domain joined.
You'll need InTune, won't be able to use GPO and for giggles get issues with OneDrive (more issues that a Domain Joined machine)


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #7 
Pmarsh, not to hijack the thread but is the password change that you mentioned a GPO forced password change after a certain time frame?  I know that some companies insist on a regular password change but I wonder if it's really a good policy or not.  It forces users to "grasp at straws" to comply. That can make the new password weaker than the previous password.
0
pmarsh

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 64
Reply with quote  #8 
Wobble:  Go on about the hatred for Azure AD Join, please share your experiences.

Donoli:  Yes GPO policies are in place, change every X, remember last X, Min length and required complexity. 
0
lady_mcse

Avatar / Picture

Senior Member
Registered:
Posts: 103
Reply with quote  #9 
Quote:
Originally Posted by pmarsh


HOLY CRAP  I've been doing working with MS environments since NT this is the most complicated and confusing thing I think I've ran into over the years.........  as the kids would say FML


I am soooo glad to hear someone else say that ... I'm starting to feel like the coworkers I scoffed at 20 years ago and they were talking about the glory days of mainframes.  What goes around comes around I guess.  

Dinosaurette signing off ...
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 892
Reply with quote  #10 
Quote:
Originally Posted by pmarsh
Wobble:  Go on about the hatred for Azure AD Join, please share your experiences.



My experience comes from supporting others as I don't use onedrive except as a web experience.

1. Azure AD Joined Surface Pro & Surface Books + Onedrive (both versions, Business + home), syncing & resyncing and filling up disks.
2. Azure AD Joined Surface Pro & Surface Books confusing the end user with home + business OneDrive,
3. Devices not being internet connected for several months, causing issue 1.
4. Not being able to manage the device with AD tools...So you need two skill sets for patching, AV reporting, usage reporting, inventory reporting.


Bit of a rant now...

My general  opinion of "business machines" is that I support the backup of the business data by putting it "on my servers" and I'll spend 30 minutes troubleshooting an end device issue, then wipe + re-install.
The more easily deployed "and sold by marketing" option of Azure AD Joined machines means that we now have 2 explanations for people who don't want to listen to us IT people about recovering data, which gets merged into 1 opinion by the end user, which means we look like the bad guys, because we didn't buy intune/ backup of end-point devices, more training because we spent the budget on the Surface Book Pros...

And yes IT is getting harder....the rate of change in what we sell/ support means that your cookie cutter solution needs to change almost weekly. New solutions are being deployed almost weekly from SaaS solutions that were baked into client/ server/ MVC solutions. But as they are drip released, you never get the project finished. And lets not forget the renaming of a solution/ SaaS..... seriously, we need a stupid stick to hit these people who rename a service every 6 months. Telling me about the change on social media is not a solution, as I'm too busy doing my job and living my life with my kids to spend 3 hours a day reading repeated slightly changed marketing. Bring back Technet Magazine I say and limit it to 20 pages a month!

I'm now going to go have a drink!

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.