Solved

Windows Domain Cached Credentials

Posted on 2008-09-30
7
1,187 Views
Last Modified: 2012-05-05
We have a Small Business Server 2003 Domain & I have 3 new laptops to join to it.  The users of these laptops are at another jobsite.  Once I join these computers to the domain is there any way to cache their credentials ahead of time so that they will be able to login at the site.

I normally have employees come into the office and log in once while the new computer is connected to the server. Then when they go out in the field they can still login with the cached credentials. However these employees will not be able to make it into the office. I would like to get everything set up and take them out there.

I do not want to have to ask them for their passwords or reset them and then have to worry about changing them back through vpn or something.  
0
Comment
Question by:dtsmith1984
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 11

Expert Comment

by:Jon Winterburn
ID: 22609057
I think what you are asking for is impossible, because in order for the credentials to be cached, they have to first be authenticated by the LSA, and if you are not going to authenticate for the first time, then the workstation will not be able to store the credentials in it's Credential Manager.

See this: http://support.microsoft.com/kb/913485
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 22609248
I am not 100% certain, but I believe that if you can get them to log on using dial-up networking, so that they are logging on directly to the domain, their domain credentials will get cached at that time.  As long as the machine is already joined to the domain, it should work OK.  You would have to have them log on to the local machine as a local administrator and create a VPN connection for use by everyone.  Then, they would log off and log on to the domain using the "log on using dial-up networking" option from the logon prompt with their own domain user credentials.  
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22621646
Once I join these computers to the domain is there any way to cache their credentials ahead of time so that they will be able to login at the site

Windows does this automatically, in the event the 2003 server is down or unreachable.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
ID: 22624976
After rereading your OP, I can amend my answer to say that all you'd have to do is pre-configure the VPN connection and make it available to all users before you deliver the machine to the user in the field.  Then he/she would be able to use the "log on using dialup networking" option from the logon prompt initially.
0
 

Author Comment

by:dtsmith1984
ID: 22664734
ChiefIT:  

 Windows does not do this automatically because if I just add a user to the machine  DOMAIN\USERNAME and try to log in without a connection to the server it says it cannot validate.  If i plug in to the network and then log in, the credentials are then cached and i can log in without being connected to the server.

Is there something that i may need to set up differently for it to cache initially without logging in to each of the users?


hypercat:

The VPN would probably work but in this instance the users do not have any internet access at their current location.  I am going to go ahead and accept your solution since 9 times out of 10 that would work.



0
 

Author Closing Comment

by:dtsmith1984
ID: 31501720
Thank you!
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22665081
Here is a little bit of information that might give you some insight on what is going on.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22597159.html

There are a couple sets of credentials that folks call cached credentials: (Truth is, neither are really cached!)
--The first set are saved credentials. These are located in Control Pannel>>Users>>advanced>>Managed passwords.
For these credentials, the user has to elect to save the credentials on the local machine. The drawback is if you change the domain credentials, your saved credentials will not match the domain credentials. So, you are not able to log in and risk having your domain account locked out.

--The second set of cached credentials are resident in registry and can easily be deemed as cached since they are dynamically updated:
These are located in registry and you save up to ten of them. These credentials are called Hashes:
HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10

With that said, there is a setting you can post that tells you what credentials you are using ("cached" or domain credentials).
http://support.microsoft.com/kb/242536
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now