Announcement

Collapse
No announcement yet.

How domain passwords work in XP?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How domain passwords work in XP?

    Hi,

    I need understand process of how XP is storing user domain credentials.

    Let's imagine scenario:

    There is computer with XP which plugged onto companys LAN and user John is logging onto AD domain for 1st time.
    He uses password which is: 12345
    Then he's profile gets created on that computer and gets cached.
    Now if user disconnects from domain, unplugs the cable and goes home he can log on to the XP offline with password 12345.

    So my understanding is - this password has to be cached somewhere on the local HDD. But how and where ? There is no local account named 'John' on the computer, there is only profile for him created by logging onto domain before and stored in C:\Documents and settings\John.

    And problem now is:

    User got connected again to the domain and was forced to change his password which was 12345. He changes the password to something else and confirms. All seems to be fine, new password get accepted succesfully.
    Until.... he powers off computer and takes it home.
    When he starts computer at home (offline) he no longer can get to XP, messages are - domain is not available ... make sure username and password are correct blah blah blah....
    User tries to use both passwords, old 12345 and also new one that he changed few hours ago back there in office. None of them works.

    What can be cause of such problem ?
    Do you think password got corrupted somehow, etc. ?

    If you have any ideas or maybe my understanding of how cached passwords are written onto local machine is wrong then please rectify.

    Thanks for help.

  • #2
    Re: How domain passwords work in XP?

    He should have logged off the machine in the office and logged on again with the new password. Just to make sure. Usually the new credentials are cached when the password is changed; however sometimes they are not. Logging on again with the new password would have ensured that the new credentials were cached and therefore useable offline.

    The Domain Login credentials are cached in the "HKLM/SECURITY" key in the Registry in an encrypted form. You do not have access to these keys and could not read/change them if you did.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: How domain passwords work in XP?

      Hi, Stonelaughter thanks a lot for sheding some light onto it.

      There is very little resources I can find in books or over web on cached profiles and passwords...

      Also, do you know if there is a way to allow our example user to get onto his computer without asking him to get back to office ?
      I know if that laptop is plugged back onto companys LAN - it will pick on the credentials and log back in, or eventually maybe the password will need to be resynchronized / reset in AD again as well.
      But let's imagine user cannot go to office now and needs to use laptop.

      Is there any way letting him in ?

      Only way I could think of is changing "Logon to" option and select "This computer" instead of domain, and giving to user credentials of some local account. But I don't want to do this as security measure.

      Thanks again and have good day

      Comment


      • #4
        Re: How domain passwords work in XP?

        Originally posted by no_clue View Post
        Hi, Stonelaughter thanks a lot for sheding some light onto it.

        There is very little resources I can find in books or over web on cached profiles and passwords...

        Also, do you know if there is a way to allow our example user to get onto his computer without asking him to get back to office ?
        I know if that laptop is plugged back onto companys LAN - it will pick on the credentials and log back in, or eventually maybe the password will need to be resynchronized / reset in AD again as well.
        But let's imagine user cannot go to office now and needs to use laptop.

        Is there any way letting him in ?

        Only way I could think of is changing "Logon to" option and select "This computer" instead of domain, and giving to user credentials of some local account. But I don't want to do this as security measure.

        Thanks again and have good day
        Or, if you have a dial-up or VPN connection configured to be used BEFORE logon, he can logon direct to the LAN via his broadband & VPN/dial-up - which will hopefully re-cache his new password. Don't give him a local admin account; he will spend all of his time downloading and installing stuff that will trash your beautifully crafted laptop build. It's either VPN/Dial-up, or come to the office. Next time, he'll know to log off and back on before he goes home, won't he?


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: How domain passwords work in XP?

          Originally posted by Stonelaughter View Post
          Or, if you have a dial-up or VPN connection configured to be used BEFORE logon, he can logon direct to the LAN via his broadband & VPN/dial-up - which will hopefully re-cache his new password. Don't give him a local admin account; he will spend all of his time downloading and installing stuff that will trash your beautifully crafted laptop build. It's either VPN/Dial-up, or come to the office. Next time, he'll know to log off and back on before he goes home, won't he?
          All right, thats what I thought of as well little while later.
          No worries, then the only way is get him back to office now.
          Defo will not be giving him admin password, it will bring disaster

          To say the full story (did not want to complicate the case originally) - system forced his password change while he was VPN'ed to company's network from remote location. So double checking by logging off and on - probably wouldn't bring any joy in this case, as he would end up in same place where he is now anyways... with no access to the computer.

          But that's good point to double checking while still on company's lan to make sure you can access your system back with new password.

          Thanks again m8
          Last edited by no_clue; 15th September 2008, 14:39.

          Comment


          • #6
            Re: How domain passwords work in XP?

            If he never normally comes back to the office, and this will be a recurring problem, then once he's cached you can set his account to "Password never expires" until his job changes. Make sure it's properly recorded in the incident management software you use, though... with reasons.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment

            Working...
            X