Strange but true - How could a local restricted user profile's NT password overwrite the restricted users domain-based cached NT login password?

Tablet OS: Windows XP Tablet Edition 2005 v2002 sp2

We have a large remote user community who use the VPN to download e-mail, etc. They rarely use a GINA-VPN login but can access company info after logging into their cached domain profile (cachedlogonscount=10) and using the VPN. Some of these users are required to attend training events at regional offices or hotels. For training, they are asked to log into a local training profile so that training materials do not impact the live domain profile. The system does have UPHClean and requires the date/time to be set months even years prior to meet certain training scenarios.

The issue is that after accessing the local training profile (non-complex password), a few of the users experience a strange anomaly where the local training profiles login password has replaced the live users login password (complex password and maxpassage=60 days). The easiest way for us to resolve is to have the user log into the live profile via the GINA-VPN and refresh their credentials.

Please note we have not been able to reproduce the issue in the lab and are still in the process of capturing an image or tablet that is exhibiting the issue.

Im turning to you for thoughts on how this could be possible and where the breakdown might be occurring? Expired domain password, corrupt cached credentials or password verifier, incorrectly mapped SID/GUID? Thank you in advance.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

PharmaEMTConnect With a Mentor Author Commented:
PharmaEMTAuthor Commented:

So the challenge presented is to reproduce how a local trainme profiles password can replace a domain users cached password. Im pleased to report that Ive made some headway on the issue:

Environment: My corporate Dendrite DELL Latitude D620 with a VMWare sanofi-aventis image

Local training user = train**/train**/(local)
Domain user = ex00763/mypassword/Rx
Local admin = admin/bogus2008/(local)

1.      Login as the domain user with ex00763/mypassword/Rx
2.      Put the tablet into hibernate under the domain profile
3.      Allow the tablet to hibernate
4.      Power on the tablet
5.      Instead of passing the domain user at the login screen, pass the local admin credentials
6.      Wait for the local admin profile to load
7.      Logoff the local admin
8.      Login to the domain user as ex00763/mypassword/Rx
9.      Wait for the domain profile to load

While these steps dont prove it can be done with the local training user, it does show that local admin password can be passed to the domain based profile after resuming form hibernation. Any ideas why?
All Courses

From novice to tech pro — start learning today.