Ok, so let's say I am using windows 2000 and I lock my computer via CAD.
I forget my password. I ask the network admin to reset my password. He does so.
I end up remembering my password so I simply type it in and unlock my workstation because I am still using the local copy of my username and password.
Now, the local copy and network copy of my username and password are different.
At which point do the two scynchronize?
Does it happen the next time I try to access something on the network?
If this is not clear lemme know and I will try to clarify. Thanks.
Active Directory General Question
Active Directory General Question
I have no sense of decency. This way , all my other senses are enhanced!
They don't synch as such. In fact, you'll find various things get rather pissed off about the situation 
The equation is obfuscated further if you have BDCs and it's even worse if you have a WAN. Most domain controllers will propagate password changes between themselves instantly on a LAN, but if you're part of a WAN you might find there's a lag (I've seen 20-30 mins). It's purely a discretionary call as to how much SAM synch traffic you want on your WAN.
The other thing to remember is if you're on a 2000 network you're not even passing your logon info around to the server, you're giving it a kerberos ticket.. which also has an expiry time.
Regardless, in the situation you're best to log off and reboot (as that will make the machine check the domain controller version of your password before resorting to the cached copy).
The equation is obfuscated further if you have BDCs and it's even worse if you have a WAN. Most domain controllers will propagate password changes between themselves instantly on a LAN, but if you're part of a WAN you might find there's a lag (I've seen 20-30 mins). It's purely a discretionary call as to how much SAM synch traffic you want on your WAN.
The other thing to remember is if you're on a 2000 network you're not even passing your logon info around to the server, you're giving it a kerberos ticket.. which also has an expiry time.
Regardless, in the situation you're best to log off and reboot (as that will make the machine check the domain controller version of your password before resorting to the cached copy).
-
Fallanthas
- Way too much time!
- Posts: 1525
- Joined: July 17, 2002, 1:11 pm
-
Bubba Grizz
- Super Poster!
- Posts: 6121
- Joined: July 3, 2002, 12:52 pm
- Gender: Male
- Location: Green Bay, Wisconsin
Normally we change the password and force them to change on relogging. Usually they are stuck at the login screen anyhow otherwise we tell them to reboot. Sometimes they have to wait for about 15 minutes for the change to take effect but mostly it is almost instant. If it is a lock out then it is easy enough to unlock them. The pain in the ass comes when you are using both Active Directory and User Manager.