Control time limit of cached credentials

Control time limit of cached credentials
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Control time limit of cached credentials Mike H 07-02-2008
Posted by =?Utf-8?B?TWlrZSBI?= on July 2, 2008, 10:58 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello,
We have a few laptop users with logins to our AD domain. They are sometimes
offsite for quite a while. Eventually, they can no longer log in with their
domain credentials. Our help desk then has to walk them through setting up a
local profile so they can work.

Is there a way to set this so the credentials don't timeout? Or is there a
way for them to be able to authenticate remotely to our domain? I already
went down the route of using our VPN client but that is not supported.

Any help would be appreciated. We'd prefer not to have to give these people
local machine accounts.

Thanks,

Mike H

Posted by Steve Riley [MSFT] on July 2, 2008, 4:24 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Cached domain credentials are useful indefinitely. Do you mean that the
users' domain passwords expire?

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



> Hello,
> We have a few laptop users with logins to our AD domain. They are
> sometimes
> offsite for quite a while. Eventually, they can no longer log in with
> their
> domain credentials. Our help desk then has to walk them through setting up
> a
> local profile so they can work.
>
> Is there a way to set this so the credentials don't timeout? Or is there a
> way for them to be able to authenticate remotely to our domain? I already
> went down the route of using our VPN client but that is not supported.
>
> Any help would be appreciated. We'd prefer not to have to give these
> people
> local machine accounts.
>
> Thanks,
>
> Mike H


Posted by =?Utf-8?B?TWlrZSBI?= on July 2, 2008, 4:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I did not really think about the password expiration. That is probably what
is happening. They will be working fine and then one day they can no longer
log in using their cached credentials.

I guess the solution for these folks then would be to extend the lenght of
time between password resets or stop forcing them to reset their passwords.

"Steve Riley [MSFT]" wrote:

> Cached domain credentials are useful indefinitely. Do you mean that the
> users' domain passwords expire?
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> > Hello,
> > We have a few laptop users with logins to our AD domain. They are
> > sometimes
> > offsite for quite a while. Eventually, they can no longer log in with
> > their
> > domain credentials. Our help desk then has to walk them through setting up
> > a
> > local profile so they can work.
> >
> > Is there a way to set this so the credentials don't timeout? Or is there a
> > way for them to be able to authenticate remotely to our domain? I already
> > went down the route of using our VPN client but that is not supported.
> >
> > Any help would be appreciated. We'd prefer not to have to give these
> > people
> > local machine accounts.
> >
> > Thanks,
> >
> > Mike H
>

Posted by Alun Jones on July 7, 2008, 4:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Password expiry shouldn't affect cached credentials - password expiry
applies only when you're connected to the domain (because you can't change
the password if you're not able to save the new password hash to a DC!)

What's more likely, IMHO, is that you've exceeded the limit of the number of
cached credentials held in the machine. Also possible is that they have
changed their password at the domain, then on the offline machine tried to
use their new password enough times that the account has been locked.

I think you need to tell us what you mean by "can no longer log in" - what
error messages are displayed? What events are logged?

Alun.
~~~~

>I did not really think about the password expiration. That is probably what
> is happening. They will be working fine and then one day they can no
> longer
> log in using their cached credentials.
>
> I guess the solution for these folks then would be to extend the lenght of
> time between password resets or stop forcing them to reset their
> passwords.
>
> "Steve Riley [MSFT]" wrote:
>
>> Cached domain credentials are useful indefinitely. Do you mean that the
>> users' domain passwords expire?
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> > Hello,
>> > We have a few laptop users with logins to our AD domain. They are
>> > sometimes
>> > offsite for quite a while. Eventually, they can no longer log in with
>> > their
>> > domain credentials. Our help desk then has to walk them through setting
>> > up
>> > a
>> > local profile so they can work.
>> >
>> > Is there a way to set this so the credentials don't timeout? Or is
>> > there a
>> > way for them to be able to authenticate remotely to our domain? I
>> > already
>> > went down the route of using our VPN client but that is not supported.
>> >
>> > Any help would be appreciated. We'd prefer not to have to give these
>> > people
>> > local machine accounts.
>> >
>> > Thanks,
>> >
>> > Mike H
>>



Similar ThreadsPosted
Cached credentials October 22, 2007, 9:06 pm
Access with cached credentials December 19, 2005, 4:31 am
Clearing Cached Credentials? January 11, 2007, 8:54 am
How to removed cached credentials from Remote Desktop Client February 5, 2007, 6:05 pm
Limit Remote Control "shadowing" to Managers June 20, 2007, 5:19 pm
Using GPO to limit access August 4, 2005, 4:25 am
Limit user access to server August 12, 2005, 12:09 am
Limit domain user logon to a unique workstation September 17, 2005, 7:18 pm
Security to limit creating new folders in shared network drive September 7, 2005, 12:11 am
how can i clear all password that is cached on a rodc December 3, 2008, 10:06 am

The site map in XML format XML site map

Contact Us | Privacy Policy