Control time limit of cached credentials

Hello,
We have a few laptop users with logins to our AD domain. They are sometimes
offsite for quite a while. Eventually, they can no longer log in with their
domain credentials. Our help desk then has to walk them through setting up a
local profile so they can work.

Is there a way to set this so the credentials don't timeout? Or is there a
way for them to be able to authenticate remotely to our domain? I already
went down the route of using our VPN client but that is not supported.

Any help would be appreciated. We'd prefer not to have to give these people
local machine accounts.

Thanks,

Mike H

Cached domain credentials are useful indefinitely. Do you mean that the
users' domain passwords expire?

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Mike H" <MikeH@discussions.microsoft.com> wrote in message
news:21C17E36-4789-44A9-B7CD-57CB91781EBB@microsoft.com...
> Hello,
> We have a few laptop users with logins to our AD domain. They are
> sometimes
> offsite for quite a while. Eventually, they can no longer log in with
> their
> domain credentials. Our help desk then has to walk them through setting up
> a
> local profile so they can work.
>
> Is there a way to set this so the credentials don't timeout? Or is there a
> way for them to be able to authenticate remotely to our domain? I already
> went down the route of using our VPN client but that is not supported.
>
> Any help would be appreciated. We'd prefer not to have to give these
> people
> local machine accounts.
>
> Thanks,
>
> Mike H

I did not really think about the password expiration. That is probably what
is happening. They will be working fine and then one day they can no longer
log in using their cached credentials.

I guess the solution for these folks then would be to extend the lenght of
time between password resets or stop forcing them to reset their passwords.

"Steve Riley [MSFT]" wrote:

> Cached domain credentials are useful indefinitely. Do you mean that the
> users' domain passwords expire?
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Mike H" <MikeH@discussions.microsoft.com> wrote in message
> news:21C17E36-4789-44A9-B7CD-57CB91781EBB@microsoft.com...
> > Hello,
> > We have a few laptop users with logins to our AD domain. They are
> > sometimes
> > offsite for quite a while. Eventually, they can no longer log in with
> > their
> > domain credentials. Our help desk then has to walk them through setting up
> > a
> > local profile so they can work.
> >
> > Is there a way to set this so the credentials don't timeout? Or is there a
> > way for them to be able to authenticate remotely to our domain? I already
> > went down the route of using our VPN client but that is not supported.
> >
> > Any help would be appreciated. We'd prefer not to have to give these
> > people
> > local machine accounts.
> >
> > Thanks,
> >
> > Mike H
>

Password expiry shouldn't affect cached credentials - password expiry
applies only when you're connected to the domain (because you can't change
the password if you're not able to save the new password hash to a DC!)

What's more likely, IMHO, is that you've exceeded the limit of the number of
cached credentials held in the machine. Also possible is that they have
changed their password at the domain, then on the offline machine tried to
use their new password enough times that the account has been locked.

I think you need to tell us what you mean by "can no longer log in" - what
error messages are displayed? What events are logged?

Alun.
~~~~

"Mike H" <MikeH@discussions.microsoft.com> wrote in message
news:B41433EC-8CA6-44C6-BEDA-C5FB3A68F09E@microsoft.com...
>I did not really think about the password expiration. That is probably what
> is happening. They will be working fine and then one day they can no
> longer
> log in using their cached credentials.
>
> I guess the solution for these folks then would be to extend the lenght of
> time between password resets or stop forcing them to reset their
> passwords.
>
> "Steve Riley [MSFT]" wrote:
>
>> Cached domain credentials are useful indefinitely. Do you mean that the
>> users' domain passwords expire?
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Mike H" <MikeH@discussions.microsoft.com> wrote in message
>> news:21C17E36-4789-44A9-B7CD-57CB91781EBB@microsoft.com...
>> > Hello,
>> > We have a few laptop users with logins to our AD domain. They are
>> > sometimes
>> > offsite for quite a while. Eventually, they can no longer log in with
>> > their
>> > domain credentials. Our help desk then has to walk them through setting
>> > up
>> > a
>> > local profile so they can work.
>> >
>> > Is there a way to set this so the credentials don't timeout? Or is
>> > there a
>> > way for them to be able to authenticate remotely to our domain? I
>> > already
>> > went down the route of using our VPN client but that is not supported.
>> >
>> > Any help would be appreciated. We'd prefer not to have to give these
>> > people
>> > local machine accounts.
>> >
>> > Thanks,
>> >
>> > Mike H
>>

We've been seeing this recently also at my company. Cached credentials
expire after just a day or two it seems. Then if you are disconnected from
network, and trying to logon you get:

" Unable to contact domain xxxx"

"Alun Jones" wrote:

> Password expiry shouldn't affect cached credentials - password expiry
> applies only when you're connected to the domain (because you can't change
> the password if you're not able to save the new password hash to a DC!)
>
> What's more likely, IMHO, is that you've exceeded the limit of the number of
> cached credentials held in the machine. Also possible is that they have
> changed their password at the domain, then on the offline machine tried to
> use their new password enough times that the account has been locked.
>
> I think you need to tell us what you mean by "can no longer log in" - what
> error messages are displayed? What events are logged?
>
> Alun.
> ~~~~
>
> "Mike H" <MikeH@discussions.microsoft.com> wrote in message
> news:B41433EC-8CA6-44C6-BEDA-C5FB3A68F09E@microsoft.com...
> >I did not really think about the password expiration. That is probably what
> > is happening. They will be working fine and then one day they can no
> > longer
> > log in using their cached credentials.
> >
> > I guess the solution for these folks then would be to extend the lenght of
> > time between password resets or stop forcing them to reset their
> > passwords.
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> Cached domain credentials are useful indefinitely. Do you mean that the
> >> users' domain passwords expire?
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >>
> >> "Mike H" <MikeH@discussions.microsoft.com> wrote in message
> >> news:21C17E36-4789-44A9-B7CD-57CB91781EBB@microsoft.com...
> >> > Hello,
> >> > We have a few laptop users with logins to our AD domain. They are
> >> > sometimes
> >> > offsite for quite a while. Eventually, they can no longer log in with
> >> > their
> >> > domain credentials. Our help desk then has to walk them through setting
> >> > up
> >> > a
> >> > local profile so they can work.
> >> >
> >> > Is there a way to set this so the credentials don't timeout? Or is
> >> > there a
> >> > way for them to be able to authenticate remotely to our domain? I
> >> > already
> >> > went down the route of using our VPN client but that is not supported.
> >> >
> >> > Any help would be appreciated. We'd prefer not to have to give these
> >> > people
> >> > local machine accounts.
> >> >
> >> > Thanks,
> >> >
> >> > Mike H
> >>
>
>
>