Credit to: https://social.technet.microsoft.com/Forums/windows/en-US/f85e761f-8958-4024-b823-30d3df8a1384/active-directory-account-password-sync-over-vpn-possible-?forum=w7itpronetworking
If you have a Windows PC that is joined to an Active Directory but hasn’t been part of the network after a password change the PC may require an old password or you may not know the old password to log in. As you are connecting via a VPN
To force a sync on the client:
- Login in with another account on the client PC or use an old password if it works
- Connect via VPN
- Open Command Prompt
runas /user:<DOMAIN>\<USERNAME> cmd
- Enter the new password
- Close both Command Prompts
This will force a sync with the Active Directory, allowing you to then log in with the new password. If running this process from another account you may be asked to log out and log back in the first time you use the new password as it syncs this new passwords across the local profile.
You can manually initiate a secure channel reset using the
nltest command, which will also sync the computer’s password with the AD server. Here’s how:
- On the client machine, open a Command Prompt with administrative privileges. To do this, right-click on the Start button, and then click Command Prompt (Admin), Windows PowerShell (Admin) or Terminal (Admin) from the context menu.
- Execute the following command, replacing example.local with the appropriate domain name:
- The command will reset the secure channel with the domain controller and sync the computer’s password with the AD server. If successful, it will return a message like:
Flags: 0 Connection Status = 0 0x0 NERR_Success The command completed successfully
After executing this command, the Windows client should sync its password with the AD server. However, keep in mind that this method resets the secure channel, which could potentially affect other services or applications that rely on it. Use it with caution and only if necessary.