If someone changes their password outside of the office without connecting to the VPN, cached credentials will fail to update and the user will be locked out of their laptop.
To fix this, follow these steps.
1. Log on as the local user - You will most likely need to use the password set by the Local Admin Password Solution. Log on to either DC1 or DC2 and run the password wizard as admin, enter the computer name and use that password
2. Connect to the VPN and add the user into the remote users list - Once logged on connect to the VPN (can download from the internet if not installed https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=105158 )
Then add the user into the remote users list so that you can RDP back to the laptop
3. Ipconfig to find out the VPN IP address - Do an IP config and get the address of the checkpoint adapter. It will start 10.5.211.xxx
4. Reset the users password from AD - Reset directly from AD so that you know what the current password is
5. RDP to the users laptop - From a machine on the internal network (your laptop or a server) start an RDP session and connect to the VPN IP address. When prompted for the credentials use the username and the password you have set
6. Allow the connection from the users laptop - It will probably tell you a user is already logged in, allow the RDP session to connect from the users laptop.
7. RDP session will end - Once allowed the RDP session will almost instantly disconnect along with the VPN. However this should have been enough to update the cached credentials on the users laptop
8. Sign out of the local user account - Now try and sign back in as the user, it should let you in. Connect the VPN again to allow the laptop to talk to the domain controllers. That's it. You can remove the user from the remote users list