I know of no official document and it seems to vary depending on VPN client. I have
had success changing an expired password using the built in Windows 2000/XP VPN
client in that after a VPN logon to the domain I was informed that my password had
expired and was given the change to change it which worked. A problem arises if a
user is logging onto their computer using cached credentials for the domain. In that
case if the password has expired I was able to change it but was denied access to
domain shares. The reason is that the "cached credentials" are not updated when you
change the password over the VPN. I found that after changing my password via VPN, if
I immediately locked and unlocked my computer with the "new" password that the cached
credentials are updated and was able to access domain resources. Note that you might
have better luck if you train users to logon to the VPN using the domain name also
instead of just username and password. This can be configured in the VPN connections
properties for the MS built in VPN client. Once logged onto the domain via VPN, the
users should be able to change their domain password by using ctrl-alt-delete/change
password which you may want to have them try before you implement the policy and then
remind them to do such before their password expires. Note that users who have their
account properties configured for "password never expires" will not be subject to
maximum password age policy and those users that currently have a password older than
maximum password age will immediately have expired passwords. There is a free tool
from SomarSoft called dumpsec that can display the last time a user changed their
password. --- Steve