Link to home
Create AccountLog in
Avatar of lbertacco

asked on

How to realign cached password/login credentials with domain controller from a laptop connecting via vpn

I have 2 laptops identically configured. Actually it is just one real laptop plus a virtual one obtained taking an HD image of the real one.
Both are joined to a windows domain, and I connect to the domain network via a vpn. I can start the VPN (cisco client) only after logging in, so at login time, I'm always using cached credentials.
The problem is that my password has expired. I renewed it on the real laptop (login, start vpn, change pwd, lock, unlock, done), but now the virtual one knows nothing about it. Its cached password is still the old one, so I can access the virtual laptop using my old password but then if I connect to vpn and try to access the domain I get prompted for reauthentication with my current password. I tried the "change password" dialog on the virtual laptop but it doesn't let me set the new password to my current password (as that's already my current password) and if I really change the password to something else, then I'll just move the problem to the real laptop.
How can I get the virtual laptop to realign its cached credentials with the domain controller?
Avatar of lnkevin
Flag of United States of America image

Here is the workarround on your "virtual laptop":
- Open the VPN Client Options menu and choose Windows Logon Properties.
- Check "Enable start before logon". Click OK.
Enable this, you will login to your VPN before login on Windows. You can try to change the password with ctrl-Alt-Del (input old and new password).

Otherwise, I don't think there is a way to sync the password between virtual pc and domain unless you bring your laptop to your office.

Avatar of lbertacco


I already tried that but didn't work. However I found out that the reason I cannot align my password is a different one.
This is what I found:
The easiest way to realign the password is just to start the vpn, access a domain resource, wait for the invitation by windows to lock and unlock the pc (to refresh cached password) and actually do it.
Other ways are the one you suggested or alternatively, configure the vpn client so that it doesn't disconnect on logoff (then login, start vpn, logoff and login again - at least in this way you have a visual cue showing that the vpn is connected).
It doesn't work for me because I get this error (with any of the 3 methods):
>Windoows cannot connect to the domain, either because the domain controller is
>down or otherwise unavailable, or because your computer account was not
>found. Please try again later. If this message continues to appear, contact your
>system administrator for assistance (which I'll probably do).
(Note that this is a different message than the one I get if I enter an incorrect password).

Does this mean that the domain controller figure out that this virtual pc is not the original laptop (and therefore not joined to the domain) even if I took a low-level hd image? Is there any way around this?
Does this mean that the domain controller figure out that this virtual pc is not the original laptop....

I am not sure DC even care about whether or not it's an original laptop. As long as you can connect to the domain with different host name (before the password changed) I assume your DC create a SID account for your virtual laptop. You may want to try unjoin/rejoin to the domain. If you have OU set up in your domain, make sure you create new computer name in OU for your virtual pc before rejoin it to domain.

Well, the real laptop computer SID and the virtual machine SID should be identical (unless vmware has done something by itself), but I'll check tomorrow.
the real laptop computer SID and the virtual machine SID should be identical....

I don't think so. SID is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify an object. Each computer should have its own SID. If you are running image of your laptop (identical image) you need to run Sysprep with a valid license before putting your image to domain. Yep, you may have a duplicate SID issue. Duplicated SIDs are usually not a problem with Microsoft Windows systems, but other programs that detect SID might have problems with their security.

On the client computer, go to control pannel>>user accounts>>advanced tab>>manage passwords. That's where the cached passwords are stored on the client computer. Find the AD credential you wish to edit, and I think you can edit it by selecting properties of that password.

I hope this helps.
ChiefIT, I can't find anything apparently relevant to cached password in the advanced tab/manage password window. Do you have more specific info?
The computer SID of the laptop and VM are identical. This is actually my desired setup as I'd like the VM to be indistinguishable from the real laptop and won't ever use both at the same time. Also their hostnames are the same and the domain user SID is also the same (obviously).
Inkevin: SID should normally be unique and the purpose of sysprep is to generate unique ones, but in my case I really want them to be identical because I want to virtualize the real laptop without the domain controller to notice it.
I'm still not sure it is actually noticing it or if it's just an issue with cached credentials.
If it is a cache credentials issue, you may want to try the command: gpupdate /Force or gpupdate /Logoff
You may also want to run ipconfig /dnsflush
This command will refresh the cache in your virtual laptop and update all new domain policy

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\

   ValueName: CachedLogonsCount
   Data Type: REG_SZ
   Values: 0 - 50

A lot of 2003 server applications were copied over from Windows NT. So, I noticed that many registry keys and applications are similar, if not exactly the same. The above registry key allows you to keep up to 50 cached logons. These logons are kept in the event that a logon server is unavailable. Though this key is for NT machines, it may exist on 2003 server. If you elect this key to be zero, it will have to go to the domain controller for logging on.  
Avatar of lbertacco

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account