Occasionally, a remote employee who is not near an office may forget their Windows password. If they are currently off the VPN, they can try logging in and guessing their password as many times as they want, without getting locked out. Unfortunately, if they are off the VPN, there is no way a password reset in AD on our end will have any effect.
However, you can walk them through the steps to log into the computer as the local administrator account and connect to Sophos Connect to get on the VPN, then the computer will be able to talk to AD for password resets.
Here is a quick guide:
1) Reset user's password in AD, unselect "User must change password at next login" and select "Password never expires".
2) Find LAPS password (current steps here: https://fmhc.freshdesk.com/a/solutions/articles/47001108769). If LAPS password is not there then use the default password (10in...). You can also change the administrator password in Sophos Live Response Command Prompt (net user administrator * press Enter)
3) Find the Duo passcode in the ServiceAccountPassCodes KeePass database (see the FFLMISAdmin KeePass database for the password to log into the ServiceAccountPassCodes DB). Open the Server Administrator passcode.
4) Call the user. At the Windows sign in screen, select "Other User" -> .\administrator, enter LAPS password then Duo passcode at the prompts.
5) Connect to Sophos Connect VPN using user's username and password that you reset earlier.
6) Once connected to VPN, Switch User (do not sign out - you have to keep admin signed in to still be on VPN).
7) Make sure user is using their username and password that you reset earlier.
8) Once signed in and connected to VPN, uncheck "Password never expires" in AD and ask user to change password and add it to their records.
Good job
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article