UPDATE USER ACCESS WITHOUT LOGOFF / LOGON / RESTART

INTRODUCTION

Kerberos Tickets refresh soon after the Kerberos Tickets expires (generally in 10 hours) or when the user logs in interactively or computer boots up while connected to the corporate network.

BACKGROUND

Kerberos authentication protocol is more secure and efficient when compared to the legacy NTLM authentication protocol. However, when the administrator updates the group membership of the Active Directory user object or of the Active Directory computer object, it requires for the user to logoff and login again or for the computer to be restarted.

Read More »

Granting Temporary Admin Rights to Users

INTRODUCTION

SYNERGIX AD Client Extensions software allows domain users to have elevated privileges for specific duration ( default is 60 minutes ). This is particularly useful when the user must install legacy applications or install local printer drivers.

The software includes Group Policy Administrative Template file that makes it easy to configure the feature. Once the GPO is configured, the Systems Administrator is required to merely add the domain user account to specific Active Directory Security Group ( default is “SYNERGIX ADCE Managed Domain Users – Apply Users” ). They can also exclude computers such as Scientific Lab PCs or other special purpose PCs by adding the computer accounts to specific Active Directory Security Group ( default is “SYNERGIX ADCE Managed Domain Users – Deny Computers” ). Read More »

Making Drive Maps Work Over VPN Connection

INTRODUCTION

Group Policy preferences expand the rangeof configurable settings within a Group Policy object (GPO). These new extensions are included in the Group Policy Management Editor window under the new Preferences item. Examples of the new Group Policy preference extensions include folder options, mapped drives, printers, scheduled tasks, services, and Start menu settings.

 

BACKGROUND

Some of the Group Policy Preference items, for example Drive Maps, are processed in the foreground. It means they will get processed only when the user is logging in interactively and when connected to corporate network. This very useful feature finds its limitation when the scope is expanded to support remote users connecting with VPN client software or when laptop users resume from standby on corporate network

Read More »

Refresh Kerberos Tickets Without Logon or Restart

INTRODUCTION

Kerberos Tickets refresh soon after the Kerberos Tickets expires ( generally in 10 hours ) or when the user logs in interactively or computer boots up connected to the corporate network.

 

BACKGROUND

Kerberos authentication protocol is more secure and efficient when compared to the legacy NTLM authentication protocol. However, when the administrator updates the group membership of the Active Directory user object or of the Active Directory computer object, it requires for the user to logoff and login again or for the computer to be restarted.

Administrators and users have become used to this process, however, there is a more efficient method to improve the Windows user experience.

 

RESOLUTION

Read More »

How to Synchronize Expired Active Directory Credentials

INTRODUCTION

Expired Active Directory user credentials that were changed by the administrator through Active Directory management console or by the user through Citrix Access Gateway Advanced Access Control and the VPN tunnel are not updated on the client Windows XP computer.

 

BACKGROUND

Locally cached credentials of the Active Directory are not changed through the Access Gateway Advanced Access Control VPN tunnel. The computer is not contacting and communicating with the domain controller through the VPN tunnel and the locally cached domain credentials are not updated until you log off the client computer and then log on to the domain again. Read More »

Integrating Truecrypt with Active Directory

Not claiming any subject matter expertise in cryptography but merely looking atas a potential candidate for enterprise use and the challenges faced by systems administrators managing such a tool.

 

(1) Asking users to change the truecrypt ( full disk encryption ) password when they change their domain account password every 60 or 90 days. Ideally, if it is the same password for both the Active Directory domain account and for Truecrypt, it can potentially reduce support calls.

 

(2) Allowing an IT security officer to recover the data when the password is forgotten. Read More »

From zero to boot in 0 seconds

INTRODUCTION

Simply leave your Microsoft(R) Windows(TM) based computer powered on, like you would leave your SmartPhone on all the time. That’s going from zero to boot in 0 seconds ! But that comes with a catch or problems (lots of them) that your systems administrators don’t want to deal with.

 

BACKGROUND

If your computer could probe a network connection to your corporate network and perform tasks that are not performed during cached profile (off network login), you have a Windows system that is up and running 24 x 7. Read More »

Changing domain password over VPN

INTRODUCTION

In Active Directory environment, the default domain policy, specifically the password expiration policy, can cause resource access issues to VPN users who typically login with cached credentials. When their password is about to expire, they do not receive password change notification, which ultimately results in their account being locked out.

 

BACKGROUND

This issue gets resolved by the users having to call the help desk to have their password changed. These service requests to the help desk translates into lost productivity and potential disruption of services to business users. Although sending EMail notifications is an option, it is not as effective solution for changing domain password over VPN. The users learn to treat such recurring notifications as spam and may start to ignore these password change notifications. Even otherwise significant number of remote users may read such notifications when they are offline and then, tend to procastinate the password change as it requires them to re-establish the VPN connection.

Read More »

Group Policy Updates

INTRODUCTION

Group Policies apply when the computer starts up or when the user logs in. And after that event, every 90 minutes on a domain computer. This may work very well for LAN connected computers, however, for remote computers that generally start up without being connected to corporate network and the user logs in with cached credentials, the event based Group Policy refreshes are completed missed. And in such cases, it requires for the user to remain logged in for an extended period of time (90 minutes) for the policies to download and to apply over the VPN connection. The point is it leaves the remote computers in an unpredictable state and the administrator is never sure if the group policy updates are successfully applied on every remote computer.

 

Read More »