Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sean_powell
New Contributor

User reset password

I' ve tried looking so let me ask the brain trust, When a user' s password expires, is there a way for them to reset it over the VPN? -4MR3patch5 60C using forticlient as VPN, authenticating to windows AD using LDAP. So if Alice is out of the office and her password _expires_ it looks like Forticlient won' t let her log in and change her own password. it just locks her out. Short of having the help desk (me) reset her password is there any way for her to get back in? Our users get a 3 day notice that they ignore and then wonder why they can' t get in. ISA used to let them login with the expired PW and allow them to change it. Thoughts?
3 REPLIES 3
ede_pfau
SuperUser
SuperUser

IMHO ' password expiry' is just what it says: if the password has expired then it' s no longer valid. My boss used to tell me ' now they' ll learn' when a host crashed and noone had a valid backup of their data. What you could consider is granting them access via SSL VPN web portal (so, no extra software needed) with a permanent password, and having an RDP applet in the portal. But given the risks I' d rather change the password policy in the AD to ' permanent' .
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
sean_powell
New Contributor

Right... That is what I just got back from Tech support as well. We were hoping to avoid having people call in for password resets. but oh well. Thanks
veechee
New Contributor

Ah password expiry. This is a problem I face as well. Even though all the " best practices" say to expire passwords every X days, I can' t implement it because of too many remote workers! A laptop in the field with an expired password is pretty useless - SSLVPN or not. I just coach users to change their passwords at least annually, and when I have increased the minimum length of passwords so that no passwords can be too weak. If your security requirements are higher, a one-time password solution would be the way to balance out the security. For myself, I' m eager to look at DirectAccess once Windows 2012 server comes out (it' s too complex with Win Server 2008R2 and you can' t put a hardware firewall in front of it only Forefront UAG), as that would eliminate the need for SSL and IPSec VPNs to devices.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors