With remote work dominating during the global COVID crisis, a key issue that IT organizations have been facing is how to update Active Directory passwords. Generally, after 90 days, the password within AD needs to be updated and if this isn鈥檛 done, the end user can be completely detached from the domain. Most IT admins haven鈥檛 had to deal with this issue very often because most users are connected to the domain and are in the office, so handling this historically has been simple; but, now with remote work, this problem can present quite the challenge to the end user and employee.
Generally, Microsoft庐 Active Directory庐 (AD) passwords are updated over a VPN. It seems like these two pieces of core infrastructure (AD and a VPN) should work together seamlessly, but usually they don鈥檛 integrate as you鈥檇 expect. We鈥檒l address two common challenges below: syncing a user鈥檚 local OS password with their AD domain password remotely (which often requires a VPN), and syncing VPN authentication/access with AD to minimize the number of sets of credentials a user must manage.
Problem 1: Remote User Password Resets with AD via VPN
Your organization鈥檚 security rules may require users to change their AD passwords every 90 days. And every 90 days, that on-prem rotation leaves your remote employees in the dust – which today constitutes just about everybody. They鈥檙e glad they rarely have to come into the office, but then they鈥檙e frustrated when they find that their domain password has expired. Many times in this scenario an end user could be locked out of their machine and if their AD password is the same as their VPN password, then they can鈥檛 login to the domain at all and they are completely locked out. Now you鈥檙e on the phone with one of them, and you have to talk through the fix. This is an especially acute problem with macOS endpoints.
Assuming that the user can still login to their machine, they will need to:
- Connect to their organization鈥檚 infrastructure via a VPN. This connection provides access to the on-prem directory, Active Directory.
- Next, they should log off of the machine. (As long as the VPN client is running as a service, logging off shouldn鈥檛 interrupt the session.)
- Now the user can log back onto the device by updating their credentials.
This solution can be confusing because the user needs their old credentials to gain initial access to AD so that AD can then sync the new credentials to the device. It鈥檚 not a particularly efficient process, but it works. For Macs, though, this process is far from seamless. And, as stated above, if the user鈥檚 VPN password has expired as well, the user will likely need your intervention to get back up and running.
Breaking Up with Active Directory
Don鈥檛 let your directory hold you back. Learn why it鈥檚 time to break up with AD.
Problem 2: Sync VPN Access with AD Credentials
When security measures start to hamstring a user鈥檚 workflow, that user is more likely to bypass them and compromise your network for the sake of efficiency. We see this constantly with login credentials: people get overwhelmed by the number of passwords to their basic IT resources and start to duplicate passwords or store them insecurely. Research on the human factor in identity security indicates that even users who are informed about the risks will sometimes sacrifice security in the name of convenience, especially when they feel the consequences of a breach wouldn鈥檛 impact them personally.
(To learn more about how well-meaning employees on the inside of organizations have gradually become one of the weakest links in IT security, check out our article on Why It鈥檚 Time to Take Identity Security Seriously. We also have tips for training employees to be more vigilant in Security Training 101.)
With this human bias toward convenience in mind, it鈥檚 no wonder that you and your IT team are working diligently to reduce the number of passwords needed, while increasing their security and strength. VPN access is among the most annoying of these sticking points, so naturally you want to sync AD credentials with your VPN access. In this scenario, a user鈥檚 AD credentials would also grant them VPN access, and the two authentication systems would always stay synced, even after password changes and updates. Unfortunately, a DIY solution that fully achieves this ends up being easier said than done.
An Elegant Solution to Sync AD with VPN
Given the above roadblocks to syncing AD with a VPN, you might be wondering what a more streamlined solution would look like. Instead of building patches that would solve each specific problem individually, what if you could zoom out and fundamentally modernize the way Active Directory passwords sync with your VPN, solving both of these problems at once? A cloud-based directory service could integrate with Active Directory to offer different sets of solutions based on your needs.聽
Learn more about how 探花大神 AD Integration works to maximize your network鈥檚 security and efficiency. Or, if you鈥檇 rather see how this all looks from the driver鈥檚 seat, you can and integrate your AD credentials with your non-domain-bound IT infrastructure.
