how to cache credentials on Windows

2

I am a programmer and finance guy who is reluctantly in charge of IT, among any other more appropriate departments, at our eight person firm. I'm very new to IT, so please bear with me and assume I know very little.

We have a limited number of shared/vacation laptops that trade hands a lot. Despite my guidance, employees take off with a laptop that doesn't have their credentials cached so they can't login. (I try to get them to login before they head out!)

How can I cache all of the credentials to each of the traveling laptops? And is this wise? Suggestions welcome for alternative (free) solutions that solve this in a different way.

Laptop: Windows 7 without local admin rights, Server: Windows 2008 R2

mountainclimber

Posted 2016-12-22T21:53:00.643

Reputation: 169

1Get them to login before walking away from the network with the laptop. – schroeder – 2016-12-22T21:59:40.047

schroeder - note "Despite my guidance" part of my question. I try! I added clarification on this in my question. – mountainclimber – 2016-12-22T22:02:04.223

Also, where should I post questions like this? I see you migrated my question. – mountainclimber – 2016-12-22T22:05:24.040

There is only so much you can do to help your users. One of the many hard lessons of IT. If they will not follow procedure, then they bring the consequences they bring on themselves. – schroeder – 2016-12-22T22:06:00.347

1Noted, and I agree; however, that is a tough one when it is your CEO during the holidays who needs the help. – mountainclimber – 2016-12-22T22:07:32.723

1How to configure or accomplish tasks in a particular OS tends to be more of a SuperUser-type question. – schroeder – 2016-12-22T22:07:41.447

I figured it was upper management. Computers aren't magic boxes, and procedures exist to maximize productivity. Reminding management of that can help. – schroeder – 2016-12-22T22:08:56.403

Answers

4

The answer: No.

As Schroeder mentions in his comment, the way this is to be done is to require staff to log into the computer while it is still connected in the office.

There is a setting that can be configured in Group Policy that tells a computer how many credentials it can recall, which allows a staffmember or two or three to login to a computer in the office and then take the computer out of the office and still be able to log in, but even this has its limits.

The problem with what you're asking for is that you would essentially be asking the computer to retain a copy of authentication for all of the user accounts on a domain, and to ask for any updated information about this user accounts such as changed passwords or names or permissions, whenever it does change.

First this is impractical because the laptops would have to be connected to the domain anyways to get this information and why doesn't the borrowing user just log in before they leave anyway, and second it is highly insecure.

If a computer remembering one account's information leaves the office and is stolen, you reset the information on that one account. But if you have ALL of the information for ALL of the domain accounts on that laptop, you have trouble, spelled with a capital "T".

As part of your new role you also are the enforcer, and the rules have to be, both for the safety of the company information, and for your sanity, that staff MUST log into the computer BEFORE they leave the office or they are out of luck.

Their forgetting what they have been told is no reason for you to have to panic. They are not two year olds. They are adults who can understand and follow instructions. I assume.

UPDATE: Suggested Process & Magic Workaround

Suggested Process

Option 1: Keep all the loaner laptops secured in your office, at your tech desk, etc. When people come to check them out from you have them login to them before they leave. Bonus benefit: You know the laptop is working.

Option 2: Give the CEO a laptop of their own for their only computer. Then they're already logged in.

Magic Workaround

Don't just give this one away. Keep it for those times you really need a bacon saved or brownie points banked and use it only sparingly.

Set up a VPN connection of some sort, and then configure a VERY limited local account on all the laptops that ONLY connects to an available internet connection and triggers the VPN connection.

You can do this in such a way that not even the taskbar or desktop icons show up in this limited account

Once the VPN is connected have the remote user who could not be bothered to follow instructions press CTRL-ALT-DEL and select Change Password. In this dialog you can change passwords BESIDES the logged in account simply by entering the domain\username of the account you wish to cache. Once the user has changed the password for their own account on this computer, the accounts credentials will then be cached, and they'll be able to log in normally.

There's still a little punishment because they had to change their password, but that should hopefully serve as reminder to do things the right way next time.

music2myear

Posted 2016-12-22T21:53:00.643

Reputation: 34 957

0

Not debating on whether it is correct practice or not. But the only way to cache credentials in windows is using credentials manager. You can script using command line tool "cmdkey" like this :

cmdkey /add:server01 /user:mikedan /pass:Kleo

amarnath chatterjee

Posted 2016-12-22T21:53:00.643

Reputation: 101

But this would not be advisable for security reasons, right? – mountainclimber – 2016-12-23T13:20:04.507

As i mentioned ... can't debate its correct and secure or not ... In my opinion security assessment requires more deeper exercise ... If you have compensatory control around cmdkey usage then its absolutely fine ... Credential manager of windows is secure in storing data ... you cannot retrieve the password, only use it to connect like file and printer sharing etc... security issue is only around who can\should use it – amarnath chatterjee – 2016-12-24T15:36:30.510

Asked: 2016-12-22T21:53:00.643

Viewed: 4 332 times

Active: 2018-11-22T17:16:42.847