Active Directory account that allows login when the domain is down?

huangs3
huangs3 used Ask the Experts™
on
In my home network there is an Active Directory domain, and I am using my Active Directory account in this domain to login to my PC, because using this account to login allows me to access some resources in the home network. This AD account also has administrative permission on my PC.

Assuming the domain controller of the AD domain has a chance to fail and stop working, then I will not be able to login with the AD account, but need to use local account. In this situation, if I have files saved at desktop, or any account specific location of the AD account, then I will have a bit trouble to get them back.
-- login with local account with Admin permission
-- explore into the user folder in system drive (C:).
-- find the files and copy them to local account desktop (or other folder).

To resolve this issue present at the situation of failing AD domain, I am wondering: can I setup an AD account in Windows 7/8/10 that allows user to login when the AD domain is down?

This seems defeating the definition of an AD account, but I still wondering whether an account can be setup to work with domain when it is available, and work as a local account when domain is down...

If this is not doable, then ideas to prepare to handle the situation when AD domain is down would be welcome.

Thank you!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Consultant
Commented:
If the credentials are cached on the machine, then you will be able to login with the domain credentials indefinitely, even if the Domain Controller is not reachable.

To test, pull the network cable, or disconnect the WiFi, and try logging in to see if it works and you can access things.

Alan.

Author

Commented:
Hi Alan,

How can I configure to cache the credential?
AlanConsultant

Commented:
It should happen by default.

Give it a go, and see what happens.
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Author

Commented:
Hi Alan, it does work after I unplugged the Internet cable.
I understand it is a default setting, but where shall I check in Windows to make sure the cache will not be cleaned up?
Distinguished Expert 2017

Commented:
you can restrict that no cached credential of admin accounts be retained. not sure you can require the caching of credentials that were not used.

Commonly, this is why there should be a local administrative account on each system.....

YOu could always as admin assert ownership over the files provided you did not encrypt them.

If you use EFS or other type of encryption, you have to backup and store your keys/certificates such that you can readd them to a local admin account to regain access to the files.  Look at best practices and backup options for the encryption scheme you are using...
AlanConsultant

Commented:
The case is never cleared.

I had a machine that ran like that for years.

Alan.

Commented:
When Domain is down you need to log on locally

Normally when domain is up your login will look like this

DomainName\Username
Password

When domain is down you need to log on locally

ComputerName\Username
Password
Distinguished Expert 2018
Commented:
The last 10 domain user passwords are cached by default, so unless more than 10 users are actively using your machine, there is no chance it gets cleared. Simply don't worry.
Distinguished Expert 2017
Commented:
Here is a tool written by Shaun that would facilitate the setup (prior to) a local login that might be useful to you should the system lose access to AD.
https://www.experts-exchange.com/articles/31583/Active-Directory-Securely-Set-Local-Account-Passwords.html
Configuring a service to run as a service will ... But it can not be a regularly used user account as a change in password will lock the service out........

under what circumstances are you envisioning this loss of access to AD and your need/requirement to login!

Author

Commented:
Alan: brought up the information of cached credential
McKnife: provided information about default number of accounts cached
arnold: indicated a tool to used as a backup plan \

After research, I found the following articles help me understand how the things work:\

https://support.microsoft.com/en-ca/help/172931/cached-domain-logon-information

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication

http://www.frickelsoft.net/blog/?p=49
Distinguished Expert 2017

Commented:
Please clarify which issue from which article is sonething of interest or that you are looking to clarify.

It is hard to answer/provide insight without context of interest to you.

Author

Commented:
Hi Arnold, I was looking for  AD account in Windows 7/8/10 that allows user to login when the AD domain is down
I articles I listed at the end was the result of searching after being inspired by the replies about cached credential.

These articles gives more details about:
-- what cached credential of AD accounts are (the 1st)
-- how to disable cached credential (such that I can know what I should not do) (the 3rd)

I double checked the 2nd, and found that it seems to be unrelated for my specific interest.
Distinguished Expert 2017

Commented:
From the two articles that apply to your question/situation what are you looking at that needs clarification/explanation?
Having a local non-ad administrative account is the only way to assure yourself access to the system in the event of access to the AD as well as loss of trust between the AD and a system. It happens, rarely, some that I've seen is an update whose installation process fails to complete such that the auto repair/system rollback process rolls back the system too far back such that the System key (Machine AD Key/password) is not the current one, authentication against the AD is denied for loss of trust. The only way to recover is to login with an administrative/local account and rejoing the domain which results in a refresh of the machine key, reestablishing the trust relationship.

Also, depending on your AD settings, a system that has been dormant for an extended amount of time, 30,60 days, might no longer be seen as valid when booted by the AD.....

Unless you plan on monitoring how many unique logins are made to each workstation and on the 10th make sure to login into the system resetting the order (FIFO) of the cached credentials to be kicked out next......
There are other methods to regain access to a system in various circumstances, look for "lost password"....
Distinguished Expert 2018

Commented:
"Having a local non-ad administrative account is the only way to assure yourself access to the system in the event of access to the AD as well as loss of trust between the AD and a system" - no. In that case, you simply disable the network/pull the LAN cable and logon with cached credentials and reset the machine password in powershell. Never needed a non-AD account for that scenario.

Author

Commented:
Hi arnold,

From the two articles I apply to my situation, there is one thing I feel strange: why Windows 10 needs people to use registry editor for changing the number of cached credentials? My guess is because Microsoft people don't think this is a populate enough functionality, such that they don't bother make a nice Windows feature to do that. Because I already got the information I need to keep the network running, I didn't dig into this more.

Yes, I do have local admin accounts on each computer. The reason I still want to keep the AD account working is because I want to avoid the trouble some work of finding files from AD account folder, using local admin account, in the situation when my family members want their files back.

The link you gave me even tells me that there is a tool to setup local account (if there is not yet local account) when I cannot use AD account. This makes me feel I can handle an even worse situation. That's good.

I feel 10 cached credentials should be enough, because everybody in the family has an individually assigned computer.
Distinguished Expert 2017

Commented:
Any registry change, you can use GPO computer configuration, to push this registry entry down to workstations.
Where do you store the user data, are you configuring the user profiles roaming/folder redirection? centralizing user in a single place provides for simpler backup strategies as well as centralized that does not rely on the user's computer being on when the scheduled backup should run.

an administrator whether local or AD based will usually have access to user profile data. i.e. the settings on c:\users includes Administrators of which domain admins is a member group. whether the account is local or is a member of the domain admins group the account will have the same rights.

The tool described in the article is written by an EE contributor.

I think you are trying to make a decision/approach using seemingly incorrect/inaccurate assumptions.
Try it, login with your local admin account to see whether you can or can not access the data within the profiles in question.
then login with a domain admin and see if you can access the data.
Do not assert admin take ownership option.

not sure whether you are familiar with psexec.exe from sysinternals (MS bought it technet.microsoft.com/sysinternals)

useful tool.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial