We recently flagged a large number of accounts to require password reset. We also have a policy in place that only allows users to change passwords once every XX days.
Now are running into a situation where a road warrior user powered up their laptop, connected via VPN (and was prompted to change their password which they did). This updated their AD password but their local machine password is still cached at the old value.
When they try to CTRL-ALT-DEL to update their password, it obviously doesn't work -- presumably either because their "old" password that they enter for verification is no longer valid, or because XX days have not expired and thus they are not allowed to change their password until that amount of time has expired.
Thought we could be clever and eidt pwdLastSet, but doesn't appear it can be explicity set to anything other than 0 or -1.
Any bright ideas on how we can get our local credentials in sync with AD again (short of removing the 30 day policy... may be an option, but there must be another way).