Cache Windows credentials without logging on?

Posted on 2006-03-26
Last Modified: 2013-12-04
We have a network running Windows Server 2003 with XP Pro clients. A large number of staff use the Remote Access Service and use cached credentials to log in to their laptops when they're not connected to the network.
In order to support these laptops at remote locations, all of our engineers also need to be able to log on to the laptops without a network connection being present. This means that before we issue a laptop each engineer needs to log on to it so that his or her credentials are cached. Our security policy prohibits us from using any generic log ons, so we can't just cache a credential for 'Engineer', which would seem to be the easiest approach.
Does anyone know of a way that we can either copy the cached credentials from one machine to another or somehow remove the neccessity for each engineer to log on individually?
Thanks in advance.
Question by:Matt_Jones
    LVL 48

    Accepted Solution

    Hi Matt_Jones,

    you cant cache a set of credentials without first logging on... its the only way to cache them   and you cant copy a pre-existing set of credentials as they are unique to the machine. as far as i know anyway, if i am wrong i would like to know how it is done, but im farily certain this is the foundation blocks of caching credentials

    are you meaning that you share laptops around the staff? or do they each have their own?

    LVL 57

    Expert Comment

    by:Pete Long
    Why not issue the Engineers with a CD - that can create an "administrative" user on each Laptop?

    just compile a reatogo XPE CD and put the Password changer on the image (its one of the plugins) then on each laptop the enGineer boots up with the CD and can add an Engineer account thats a local administrator

    Author Comment

    Jay Jay - That was my understanding as well, but I thought I'd ask the question just to make sure. It just adds so much time to the build.
    Mostly users have their own laptops, although there are a small number of laptops that are shared between team members.

    Pete - Our security policy is quite strict about what we can and cannot do, once the laptop is in the live environment. We use a smart card for log on and each card is bound to the user's domain account. The use of local accounts is prohibited and disabled by policy, so can't really get away with your suggestion.
    LVL 48

    Expert Comment

    i understand where your coming from mate and wish there was an inbuilt solution that i could point you towards - just the limitations in the OS my friend

    Assisted Solution

    Matt, you might have a problem if there is a large number of different support engineers. There is a maximum number of cached credentials that will be retained in any event.

    You probably want to research this a bit to ensure you are not going to exceed the max or "how you get the credentials to the computer" may turn out to be less of a problem than "if I can transfer credentials, would I be able to store ALL of them."

    That said, I'm very inclined to agree with JayJay: the credentials will be derived from the unique machine sid so I don't see this working as a transfer concept.

    However, it seems you could deploy the notebooks from a master Ghost image that has already been logged on to the domain with each engineer account.
    LVL 48

    Expert Comment

    thanks :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free camera licenses with purchase of My Cloud NAS

    Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

    Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now