0
We have a Windows 7 PC that is not joined to our enterprise domain (which I will call "domain"), and this PC has several local accounts. All of the PC's local accounts have a mapped network drive which uses a specific domain account, say, "domain\specialuser," that is used to access a network share that is in the domain.
Because of CA-DOJ policy, passwords for the local accounts on the machine must be changed every 30 days. Whenever the anyone's local password is changed however, Windows 7 promptly erases their stored credentials, even though we marked "Remember My Credentials" when mapping the drive. Furthermore, the password for the domain account used to access the network share is not changing.
Why is Windows 7 eradicating the mapping credentials? Shouldn't this not change? Is there some "secret" (i.e., I don't know about) policy setting that controls this behavior? Google search and SO/SU search turned up nothing but 'how to erase mappings...' not helpful.
David Mancini
Posted 2018-12-14T16:43:34.957
Reputation: 79
Issues specific to corporate IT support and networks are not treated here. – harrymc – 2018-12-14T16:49:06.820
Do you enforce local policy restrictions on this stand-alone machine? ..And if so, do you enforce this setting in local policy? Network access: Do not allow storage of passwords and credentials for network authentication – thepip3r – 2018-12-14T16:50:03.630
@thepip3r No, that setting is not touched. The mappings seem to store just fine. Until the local account password expiration policy kicks in. At which point it kills their mappings as well. – David Mancini – 2018-12-14T17:04:26.947
@harrymc Where more appropriate would I ask then? – David Mancini – 2018-12-14T17:05:40.837
Can you manually perform a password change and force the credentials to drop? – thepip3r – 2018-12-14T17:14:05.080
@thepip3r - I'll have to try later, the machine is in production use right now and testing would also require botching someone else's password. – David Mancini – 2018-12-14T17:15:32.220
Don't really know : Help : On Topic.
– harrymc – 2018-12-14T17:15:46.2201@harrymc - Also, this isn't really a question about the "enterprise" or "corporate" part. I specifically said this machine is NOT on the domain. It is a one-off machine, with what I suspect is a Windows-7-born issue, not a corporate configuration issue. We use no GPO whatsoever on this machine, aside from the password policy, which is controlled directly from the machine itself, not from a "corporate" network. – David Mancini – 2018-12-14T17:19:12.113
Is the image you used to build the machine the one from the vendor or did you reformat it with a corporate image? If so, are you sure there's no tattoo'd local security settings on the machine? I'll lab this out when I get home with a run-of-the-mill Win7 box but if you're using a corporate image with locked down settings and I can't repro this in a VM, I'd say it's a conflict in policy settings. – thepip3r – 2018-12-14T17:25:26.220
@thepip3r - As far as I know, it's stock Win 7 Professional. – David Mancini – 2018-12-14T17:36:09.423
1How are the local passwords getting changed? Is the Reset Password functionality being used, or are the accounts being logged in and the passwords changed through the normal "Change Password" functionality? – I say Reinstate Monica – 2018-12-14T18:41:21.770
Passwords are expiring per Policy setting on the machine. I wound up using the Logon Script policy option to simply map the drive manually and non-persistently at each logon instead of relying on Windows to maintain the password. – David Mancini – 2018-12-18T01:03:18.333
That comment didn't answer my question. In any case, if you find a solution please post it as an answer so others can be held in the future. – I say Reinstate Monica – 2018-12-25T11:43:43.407