Solved

Windows Domain Cached Credentials

Posted on 2008-09-30
7
1,195 Views
Last Modified: 2012-05-05
We have a Small Business Server 2003 Domain & I have 3 new laptops to join to it.  The users of these laptops are at another jobsite.  Once I join these computers to the domain is there any way to cache their credentials ahead of time so that they will be able to login at the site.

I normally have employees come into the office and log in once while the new computer is connected to the server. Then when they go out in the field they can still login with the cached credentials. However these employees will not be able to make it into the office. I would like to get everything set up and take them out there.

I do not want to have to ask them for their passwords or reset them and then have to worry about changing them back through vpn or something.  
0
Comment
Question by:dtsmith1984
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 11

Expert Comment

by:Jon Winterburn
ID: 22609057
I think what you are asking for is impossible, because in order for the credentials to be cached, they have to first be authenticated by the LSA, and if you are not going to authenticate for the first time, then the workstation will not be able to store the credentials in it's Credential Manager.

See this: http://support.microsoft.com/kb/913485
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 22609248
I am not 100% certain, but I believe that if you can get them to log on using dial-up networking, so that they are logging on directly to the domain, their domain credentials will get cached at that time.  As long as the machine is already joined to the domain, it should work OK.  You would have to have them log on to the local machine as a local administrator and create a VPN connection for use by everyone.  Then, they would log off and log on to the domain using the "log on using dial-up networking" option from the logon prompt with their own domain user credentials.  
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22621646
Once I join these computers to the domain is there any way to cache their credentials ahead of time so that they will be able to login at the site

Windows does this automatically, in the event the 2003 server is down or unreachable.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
ID: 22624976
After rereading your OP, I can amend my answer to say that all you'd have to do is pre-configure the VPN connection and make it available to all users before you deliver the machine to the user in the field.  Then he/she would be able to use the "log on using dialup networking" option from the logon prompt initially.
0
 

Author Comment

by:dtsmith1984
ID: 22664734
ChiefIT:  

 Windows does not do this automatically because if I just add a user to the machine  DOMAIN\USERNAME and try to log in without a connection to the server it says it cannot validate.  If i plug in to the network and then log in, the credentials are then cached and i can log in without being connected to the server.

Is there something that i may need to set up differently for it to cache initially without logging in to each of the users?


hypercat:

The VPN would probably work but in this instance the users do not have any internet access at their current location.  I am going to go ahead and accept your solution since 9 times out of 10 that would work.



0
 

Author Closing Comment

by:dtsmith1984
ID: 31501720
Thank you!
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22665081
Here is a little bit of information that might give you some insight on what is going on.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22597159.html

There are a couple sets of credentials that folks call cached credentials: (Truth is, neither are really cached!)
--The first set are saved credentials. These are located in Control Pannel>>Users>>advanced>>Managed passwords.
For these credentials, the user has to elect to save the credentials on the local machine. The drawback is if you change the domain credentials, your saved credentials will not match the domain credentials. So, you are not able to log in and risk having your domain account locked out.

--The second set of cached credentials are resident in registry and can easily be deemed as cached since they are dynamically updated:
These are located in registry and you save up to ten of them. These credentials are called Hashes:
HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10

With that said, there is a setting you can post that tells you what credentials you are using ("cached" or domain credentials).
http://support.microsoft.com/kb/242536
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question