Hi Jim. I've got the impression that an off-line reset would be synced to AD after re-connecting to the domain, right? If so, the customer asks if the timestamp will be when to off-line reset occurred or will it be when the sync happens?
My impression was for *Offline password reset* steps:
1. internet. user logins to http://PM/PMUser | chose option 'Offline password reset' | answers Q/A | resets new password (call to AD/pwdLastSet timestamp set) and gets issued rabdomaly generated PC token=F(PC$ client ID).
2. PC$ offline. user logins into PC$: Windows Logon Screen | Option PM Offline Reset | input (PC token + new password): user logs into PC$ and password hash is rest to the new one
3. PC$ in corp network (VPN, or in the office): user logs in with AD authentication, triggers PC$ local password hash to be reset and synced.
Again (1) will do the pwdLastSet.
When you reset the password via user web interface, the reset password timestamp will be the time when you reset it in web UI. The offline password reset will update the local cache on the workstation and later when you connect it to the network it will synchronize the passwords. The local cache on the workstation gets updated. It does not change anything in the domain.
Ah. So the user needs to (yet again) reset the password using PM after a re-connect to the AD domain since it will be reset to the password the user had before the off-line reset. By logging on to the PM portal when doing an off-line reset, the user will not enter a new password in the portal, just retrieve the challenge response. The new password is only entered into the off-line computer.
I'm I understanding this correctly now?
cheers, Ingvar :-)
No. They do not need to reset their password again after re-connecting to the AD domain.
When the user enters the challenge code on the PM portal they must also reset their password in AD.
They then enter the response code and the same password into the offline computer.
When the offline computer is reconnected to the domain the passwords are the same but the timestamp on the computer is sync’d with the timestamp in AD.
They do not have to reset the password again.
For full details on each of the process steps please see support.quest.com/.../30
And scroll down to “Allow users to reset passwords offline”