Changing Passwords Over RAS Connections
One common issue related to password changes for domain accounts has to do with changes made over a RAS (dial-up or VPN) connection. When a user changes a password over a RAS connection, the DPAPI master key is updated but not immediately replicated to other domain controllers. As a result, when the user disconnects from the network and tries to access locally encrypted files, the result may be an Access Denied error. There are a couple of solutions:
The user can log back onto the network and update the DPAPI master key.
You can modify the registry, configuring the ProtectionPolicy key with a value of 1 in the following location:
If this key doesn't exist, you can create a new ProtectionPolicy key with a REG_DWORD value. Set the data value to decimal 1. This option isn't completely without risk. The above change to the registry may place the account at risk for offline attack because resetting the local password no longer invalidates the DPAPI master key. For more information, see Knowledge Base article Q309408, "Troubleshooting the Data Protection API (DPAPI)."