• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 575
  • Last Modified:

Cache Windows credentials without logging on?

We have a network running Windows Server 2003 with XP Pro clients. A large number of staff use the Remote Access Service and use cached credentials to log in to their laptops when they're not connected to the network.
In order to support these laptops at remote locations, all of our engineers also need to be able to log on to the laptops without a network connection being present. This means that before we issue a laptop each engineer needs to log on to it so that his or her credentials are cached. Our security policy prohibits us from using any generic log ons, so we can't just cache a credential for 'Engineer', which would seem to be the easiest approach.
Does anyone know of a way that we can either copy the cached credentials from one machine to another or somehow remove the neccessity for each engineer to log on individually?
Thanks in advance.
2 Solutions
Hi Matt_Jones,

you cant cache a set of credentials without first logging on... its the only way to cache them   and you cant copy a pre-existing set of credentials as they are unique to the machine. as far as i know anyway, if i am wrong i would like to know how it is done, but im farily certain this is the foundation blocks of caching credentials

are you meaning that you share laptops around the staff? or do they each have their own?

Pete LongConsultantCommented:
Why not issue the Engineers with a CD - that can create an "administrative" user on each Laptop?

just compile a reatogo XPE CD and put the Password changer on the image (its one of the plugins) then on each laptop the enGineer boots up with the CD and can add an Engineer account thats a local administrator

Matt_JonesAuthor Commented:
Jay Jay - That was my understanding as well, but I thought I'd ask the question just to make sure. It just adds so much time to the build.
Mostly users have their own laptops, although there are a small number of laptops that are shared between team members.

Pete - Our security policy is quite strict about what we can and cannot do, once the laptop is in the live environment. We use a smart card for log on and each card is bound to the user's domain account. The use of local accounts is prohibited and disabled by policy, so can't really get away with your suggestion.
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

i understand where your coming from mate and wish there was an inbuilt solution that i could point you towards - just the limitations in the OS my friend
Matt, you might have a problem if there is a large number of different support engineers. There is a maximum number of cached credentials that will be retained in any event.

You probably want to research this a bit to ensure you are not going to exceed the max or "how you get the credentials to the computer" may turn out to be less of a problem than "if I can transfer credentials, would I be able to store ALL of them."

That said, I'm very inclined to agree with JayJay: the credentials will be derived from the unique machine sid so I don't see this working as a transfer concept.

However, it seems you could deploy the notebooks from a master Ghost image that has already been logged on to the domain with each engineer account.
thanks :)

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now