Access with cached credentials

Hi out there
I have a simple question - how long is cached credentials pr. default valid
in a windows environment ?
The cause for the question is a small windows nt4 domain where the PDC
(single and only) has gone forever - no backup neither - and the dealer is
now pretty happy even though they no PDC - they can still logon to their
workstations and have all vitale services local - the password is set to
never expiere. If there is no need for them to add new users or change
passwords etc will the cached credentiels ever expiere ?

Steven
Mon Dec 19 19:28:02 CST 2005

From what I am able to figure out cached credentials never expire. Seems
weird that they would be happy with things the way they are as it sure does
not give them much in the way of expandability. --- Steve



"Thomas Iwang" <ThomasIwang@discussions.microsoft.com> wrote in message
news:14BC3C97-4C48-4EB3-ABED-0788E36AF210@microsoft.com...
> Hi out there
> I have a simple question - how long is cached credentials pr. default
> valid
> in a windows environment ?
> The cause for the question is a small windows nt4 domain where the PDC
> (single and only) has gone forever - no backup neither - and the dealer is
> now pretty happy even though they no PDC - they can still logon to their
> workstations and have all vitale services local - the password is set to
> never expiere. If there is no need for them to add new users or change
> passwords etc will the cached credentiels ever expiere ?
>

Ian
Tue Dec 20 11:00:32 CST 2005



"Steven L Umbach" wrote:

> From what I am able to figure out cached credentials never expire. Seems
> weird that they would be happy with things the way they are as it sure does
> not give them much in the way of expandability. --- Steve

An interesting point, as we have laptops in all parts of the world, and I've
always been reluctant to make them domain-members in case the caching should
stop working in some very remote and very techsupport-free location. Perhaps
it's not too serious a concern?

Steven
Tue Dec 20 15:50:05 CST 2005

I can't say it is 100 percent sure but I have had laptops of mine that I
could logon with cached credentials long [months] after the password had
expired at the domain level. Also remote users could also run into a problem
if they did connect to the domain via VPN with cached credentials and then
find themselves locked out after they try to access domain resources. I have
found that using the native VPN client for Windows 2000/XP the user should
be able to change their password then but that may not be the case with
third party VPN clients. If you want to try it I would start with a small
group and you could also have a local regular user account that the user
could use in case a problem came up assuming they at least had phone access
so that you could give them the password for that local user account.
Cached credentials can also add security if EFS for XP Pro is used since my
understanding is that cached credentials are stored very securely and would
not be subject to the brute force password attacks that a local user account
could be once an attacker gained administrator access to a computer. ---
Steve


"Ian" <Ian@discussions.microsoft.com> wrote in message
news:7366DC20-B0DF-47F0-90C1-2A00829E760C@microsoft.com...
>
>
> "Steven L Umbach" wrote:
>
>> From what I am able to figure out cached credentials never expire. Seems
>> weird that they would be happy with things the way they are as it sure
>> does
>> not give them much in the way of expandability. --- Steve
>
> An interesting point, as we have laptops in all parts of the world, and
> I've
> always been reluctant to make them domain-members in case the caching
> should
> stop working in some very remote and very techsupport-free location.
> Perhaps
> it's not too serious a concern?
>

Ian
Wed Dec 21 17:08:02 CST 2005

Thanks, I'll bear those points in mind.