Remotely Managing Expiring Active Directory Passwords

Written by Zach DeMeyer on May 11, 2020

Share This Article

Password expiration, although no longer required by NIST guidelines, is a common security practice required by many of today’s organizations. Many of these organizations also leverage Microsoft® Active Directory® as their on-premises directory service.

Following the global shift to a remote workforce, IT administrators that use Active Directory (AD) and enforce password expiration encounter an unfortunate revelation: Remotely managing expiring AD passwords is tedious and time consuming. Instead of solving this problem manually, organizations can leverage a solution that extends their AD infrastructure through a cloud directory service to simplify remote password management.

Before talking about that solution, however, let’s first talk about the problem of remote AD password management and how IT admins can tackle it.

Managing AD Passwords Remotely

In order to update AD passwords on remote systems, users generally need to request support from their admin to change the password in AD via a help desk ticket. Admins then use virtual private networking (VPNs) to push changes to the AD domain controller (DC), which end users connect to via VPN on their remote systems to accept the new changes.

In addition, some organizations can enable their users to change their passwords via Ctrl+Alt+Del on their Windows® machine. Once the end user checks in with the DC(s) with a VPN, the original cached password will be updated and then the end user simply needs to lock and unlock their computer for the changes to fully take place.

Managing Remote AD Password Expirations

If their password expires before they’ve checked back in with the domain controller, however, the user will be locked out of their machine and unable to access the VPN. At that point, the admin will need to intervene. Even leveraging Microsoft’s cloud solution, Azure® Active Directory®, to manage on-prem identities remotely can end in lockout upon expiration due to similar limitations.

What’s more, organizations leveraging AD on-prem often need additional tooling like web application single sign-on (SSO) to manage their remote user base’s access to non-domain resources. An AD password expiration lockout means that they lose access to these resources, too.

Finding a Better Solution

In order to remotely manage their AD instance and extend its identities without VPNs or additional tooling, IT organizations can leverage a cloud directory service as their ultimate AD identity extension solution, called Active Directory Integration.

AD Integration

Organizations using Active Directory can apply AD Integration (ADI) to their domain controllers to create a constant VPN-less connection between them and end user workstations. Admins then leverage the cloud directory service, or Directory-as-a-Service®, to remotely control their AD users and groups.

In order to manage expiring passwords, end users can fulfill password change requests from the cloud Directory-as-a-Service console. Even better, organizations can allow end users to change their passwords themselves directly from their systems, providing both convenience and anti-phishing benefits. Neither option requires a VPN connection.

Admins using ADI can also leverage Directory-as-a-Service to extend their on-prem AD identities to non-domain resources, like macOS® and Linux® systems, web apps, Infrastructure as a Service (IaaS), and more. In essence, AD Integration replaces the need for almost any tool that IT admins use to bolster their Active Directory instance.

Learn More

If you’d like to learn more about using Active Directory Integration for remotely managing expiring AD passwords or extending identities, check out our whitepaper.

For more resources about remote work best practices, check out our Solutions page.

Continue Learning with our Newsletter