Any situation where an old password would be valid indefinitely and a new one not recognized would require the machine to not be able to reach AD or Entra, but also to still be reachable by RDP… indefinitely. That’s definitely not impossible, but it’s one hell of an edge case to use the term “indefinitely” for.
Would something like this happen if AD and Entra is in a remote office, the machine has a networking issue that prevents non local connections?
Yep. If the network is local only and can’t reach Azure (for Entra) or the Domain Controller (for AD) that we’re saying is at another physical location, then there’s no way for the machine to see the new password. It will continue to accept the old cached password until that network issue is resolved.
But that’s always been the case. It’s how Windows NT and forward work. In that scenario, you could only reach the machine over RDP if you were on another machine on that isolated network.
Would something like this happen if AD and Entra is in a remote office, the machine has a networking issue that prevents non local connections?
Yep. If the network is local only and can’t reach Azure (for Entra) or the Domain Controller (for AD) that we’re saying is at another physical location, then there’s no way for the machine to see the new password. It will continue to accept the old cached password until that network issue is resolved.
But that’s always been the case. It’s how Windows NT and forward work. In that scenario, you could only reach the machine over RDP if you were on another machine on that isolated network.