Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows Domain Cached Credentials

Posted on 2008-09-30
7
Medium Priority
?
1,200 Views
Last Modified: 2012-05-05
We have a Small Business Server 2003 Domain & I have 3 new laptops to join to it.  The users of these laptops are at another jobsite.  Once I join these computers to the domain is there any way to cache their credentials ahead of time so that they will be able to login at the site.

I normally have employees come into the office and log in once while the new computer is connected to the server. Then when they go out in the field they can still login with the cached credentials. However these employees will not be able to make it into the office. I would like to get everything set up and take them out there.

I do not want to have to ask them for their passwords or reset them and then have to worry about changing them back through vpn or something.  
0
Comment
Question by:dtsmith1984
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 11

Expert Comment

by:Jon Winterburn
ID: 22609057
I think what you are asking for is impossible, because in order for the credentials to be cached, they have to first be authenticated by the LSA, and if you are not going to authenticate for the first time, then the workstation will not be able to store the credentials in it's Credential Manager.

See this: http://support.microsoft.com/kb/913485
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 22609248
I am not 100% certain, but I believe that if you can get them to log on using dial-up networking, so that they are logging on directly to the domain, their domain credentials will get cached at that time.  As long as the machine is already joined to the domain, it should work OK.  You would have to have them log on to the local machine as a local administrator and create a VPN connection for use by everyone.  Then, they would log off and log on to the domain using the "log on using dial-up networking" option from the logon prompt with their own domain user credentials.  
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22621646
Once I join these computers to the domain is there any way to cache their credentials ahead of time so that they will be able to login at the site

Windows does this automatically, in the event the 2003 server is down or unreachable.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 2000 total points
ID: 22624976
After rereading your OP, I can amend my answer to say that all you'd have to do is pre-configure the VPN connection and make it available to all users before you deliver the machine to the user in the field.  Then he/she would be able to use the "log on using dialup networking" option from the logon prompt initially.
0
 

Author Comment

by:dtsmith1984
ID: 22664734
ChiefIT:  

 Windows does not do this automatically because if I just add a user to the machine  DOMAIN\USERNAME and try to log in without a connection to the server it says it cannot validate.  If i plug in to the network and then log in, the credentials are then cached and i can log in without being connected to the server.

Is there something that i may need to set up differently for it to cache initially without logging in to each of the users?


hypercat:

The VPN would probably work but in this instance the users do not have any internet access at their current location.  I am going to go ahead and accept your solution since 9 times out of 10 that would work.



0
 

Author Closing Comment

by:dtsmith1984
ID: 31501720
Thank you!
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22665081
Here is a little bit of information that might give you some insight on what is going on.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22597159.html

There are a couple sets of credentials that folks call cached credentials: (Truth is, neither are really cached!)
--The first set are saved credentials. These are located in Control Pannel>>Users>>advanced>>Managed passwords.
For these credentials, the user has to elect to save the credentials on the local machine. The drawback is if you change the domain credentials, your saved credentials will not match the domain credentials. So, you are not able to log in and risk having your domain account locked out.

--The second set of cached credentials are resident in registry and can easily be deemed as cached since they are dynamically updated:
These are located in registry and you save up to ten of them. These credentials are called Hashes:
HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10

With that said, there is a setting you can post that tells you what credentials you are using ("cached" or domain credentials).
http://support.microsoft.com/kb/242536
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question