Solved

Windows Domain Cached Credentials

Posted on 2008-09-30
7
1,189 Views
Last Modified: 2012-05-05
We have a Small Business Server 2003 Domain & I have 3 new laptops to join to it.  The users of these laptops are at another jobsite.  Once I join these computers to the domain is there any way to cache their credentials ahead of time so that they will be able to login at the site.

I normally have employees come into the office and log in once while the new computer is connected to the server. Then when they go out in the field they can still login with the cached credentials. However these employees will not be able to make it into the office. I would like to get everything set up and take them out there.

I do not want to have to ask them for their passwords or reset them and then have to worry about changing them back through vpn or something.  
0
Comment
Question by:dtsmith1984
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 11

Expert Comment

by:Jon Winterburn
ID: 22609057
I think what you are asking for is impossible, because in order for the credentials to be cached, they have to first be authenticated by the LSA, and if you are not going to authenticate for the first time, then the workstation will not be able to store the credentials in it's Credential Manager.

See this: http://support.microsoft.com/kb/913485
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 22609248
I am not 100% certain, but I believe that if you can get them to log on using dial-up networking, so that they are logging on directly to the domain, their domain credentials will get cached at that time.  As long as the machine is already joined to the domain, it should work OK.  You would have to have them log on to the local machine as a local administrator and create a VPN connection for use by everyone.  Then, they would log off and log on to the domain using the "log on using dial-up networking" option from the logon prompt with their own domain user credentials.  
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22621646
Once I join these computers to the domain is there any way to cache their credentials ahead of time so that they will be able to login at the site

Windows does this automatically, in the event the 2003 server is down or unreachable.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
ID: 22624976
After rereading your OP, I can amend my answer to say that all you'd have to do is pre-configure the VPN connection and make it available to all users before you deliver the machine to the user in the field.  Then he/she would be able to use the "log on using dialup networking" option from the logon prompt initially.
0
 

Author Comment

by:dtsmith1984
ID: 22664734
ChiefIT:  

 Windows does not do this automatically because if I just add a user to the machine  DOMAIN\USERNAME and try to log in without a connection to the server it says it cannot validate.  If i plug in to the network and then log in, the credentials are then cached and i can log in without being connected to the server.

Is there something that i may need to set up differently for it to cache initially without logging in to each of the users?


hypercat:

The VPN would probably work but in this instance the users do not have any internet access at their current location.  I am going to go ahead and accept your solution since 9 times out of 10 that would work.



0
 

Author Closing Comment

by:dtsmith1984
ID: 31501720
Thank you!
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22665081
Here is a little bit of information that might give you some insight on what is going on.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22597159.html

There are a couple sets of credentials that folks call cached credentials: (Truth is, neither are really cached!)
--The first set are saved credentials. These are located in Control Pannel>>Users>>advanced>>Managed passwords.
For these credentials, the user has to elect to save the credentials on the local machine. The drawback is if you change the domain credentials, your saved credentials will not match the domain credentials. So, you are not able to log in and risk having your domain account locked out.

--The second set of cached credentials are resident in registry and can easily be deemed as cached since they are dynamically updated:
These are located in registry and you save up to ten of them. These credentials are called Hashes:
HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10

With that said, there is a setting you can post that tells you what credentials you are using ("cached" or domain credentials).
http://support.microsoft.com/kb/242536
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question