Thanks to Mike Driest, who did most of the testing and documentation on this issue…
One of the many benefits of Coretek’s Virtual Clinical Workstation (VCW) solution is the ability to allow users to run their clinical applications through a “thin” client. A thin client is a small, lightweight computer that contains very little hardware; just the minimum to allow them to connect to more high powered servers on which their applications run.
Some of these thin clients run a smaller, “lighter” version of Windows called Windows “Embedded”, while others don’t run Windows at all! These devices — while being very inexpensive and convenient due to their small footprint (space wise and energy wise) — pose certain technical challenges in a Windows environment. One such challenge is the ability to change a user’s Active Directory domain password.
We had to do some troubleshooting recently in our lab to determine whether we had the correct settings to allow an Imprivata “service” account to facilitate a domain user password change from a “zero” client – a device that does not run any form of Windows. As part of our testing, we had to ensure that the test account’s password was expired; to do this in a timely manner, we set the “pwdLastSet” attribute of the test account to ’0′ (zero):
To confirm that the password was indeed expired we used the following PowerShell command (requires the AD DS PowerShell Snap-In)
“Get-ADUser SamAccountName -Properties *”
You’ll see “PasswordExpired: True” and “PasswordLastSet” is blank.
I hope you find this tip helpful!