Active Directory Password Changes using GlobalProtect
AD policies and passwords
Enabling password change for remote users
Workarounds using GlobalProtect VPN tunnel
GlobalProtect supports two configuration options that enable remote users with the necessary access to
change their AD password:
- A pre-logon connect method that creates a machine-level VPN tunnel using a machine certificate.
- GlobalProtect Authentication override that enables cookie-based authentication.
Using one of these options, you can prevent remote users from being locked out when they forget their password or when their password expire.
A remote user may try to change or update their password at 2 different times:
- At the time of logging in to the Windows system
- After logging in to the Windows system
Enabling remote users to change password at Windows Login
Pre-logon is one of the Connect Methods supported by GlobalProtect. Pre-logon enables GlobalProtect to establish a VPN tunnel using a machine certificate on the user’s endpoint (computer, laptop, or notebook). This connection method establishes a pre-logon tunnel immediately after the system boots up and before the user logs in. If the enterprise AD is accessible over this pre-logon tunnel, remote users can log in to the domain with a temporary password or use the Change Password option that's natively available on the Windows login screen to update their passwords.
Changing AD password on Windows 7:
Changing AD password on Windows 8 and 10:
Enabling remote users to change password after logging in to Windows
- Configure the GlobalProtect portal to generate a cookie and accept the cookie for authentication.
- Configure at least one GlobalProtect gateway to accept the cookie for authentication.
- Set the lifetime of the cookie to as long as you would want the user to be able to login to this gateway even after the user's password has expired.
With this configuration, even if the password has expired, a remote user will still be able to get connected to this gateway using the cookie as long as it is still valid. After the tunnel is established, remote users can reach the enterprise Active Directory and change their passwords by pressing Ctrl + Alt + Delete and using the change password option.
For more information on cookie-based authentication, refer to Enhanced Two-FactorAuthentication.
Workarounds to enable remote users to change AD passwords using GlobalProtect
GlobalProtect to enable remote users to change their Active Directory passwords.
- The pre-logon connection method is particularly useful if the user is logging into the domain for the first time or has a temporary password for the domain.
- The authentication override is useful if the user's password has expired and the user is still able to log in to the endpoint using cached credentials.
For more information on GlobalProtect, please see the following articles: