Understanding Cached Credentials

[Guest]

All -

I've read quite a few (good) documents regarding the login process for
domain clients, but I can't find very detailed information about cached
credentials.

Sepcifically, I would like to know how long cached credentials are valid
for. Is this dependant on the domain password policy? Is the user prompted
that thier cached credntials are about to expire when logging in? If the
user's cached crednetials expire, are they allowed to change those cached
redentials?

Any help is appreciated.

Thanks

 

[Carey Frisch [MVP]]

Cached credentials security in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;913485

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

---------------------------------------------------------------------------­----------------

:

| All -
|
| I've read quite a few (good) documents regarding the login process for
| domain clients, but I can't find very detailed information about cached
| credentials.
|
| Sepcifically, I would like to know how long cached credentials are valid
| for. Is this dependant on the domain password policy? Is the user prompted
| that thier cached credntials are about to expire when logging in? If the
| user's cached crednetials expire, are they allowed to change those cached
| redentials?
|
| Any help is appreciated.
|
| Thanks

 

[Vincent Xu [MSFT]]

Hi,

Thanks Carey for the greate information.

NRC, Let me know if you still have questions.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Vincent Xu [MSFT]]

Hi,

Additional informatoin:

Open Regedit.exe and go to HKEY_LOCAL_MACHINE\SECURITY\Cache You will see
NL$1,NL$2....NL$n (by default, it will be 10). This is the place where
cached credentials stored. The user name and password are hashed, we cannot
identify. Each time you logon, the credential will be cached. When the 11th
user logged on, the first cached credential will be replaced.

Hope the information helps.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

Newsgroups: microsoft.public.windowsxp.security_admin
From: (e-mail address removed) (Vincent Xu [MSFT])
Organization: Microsoft
Date: Thu, 18 May 2006 06:52:26 GMT
Subject: Re: Understanding Cached Credentials
X-Tomcat-NG: microsoft.public.windowsxp.security_admin
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi,

Thanks Carey for the greate information.

NRC, Let me know if you still have questions.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

From: "Carey Frisch [MVP]" <[email protected]>
References: <[email protected]>
Subject: Re: Understanding Cached Credentials
Date: Wed, 17 May 2006 16:17:36 -0500
Lines: 30
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-Antivirus: avast! (VPS 0620-1, 05/17/2006), Outbound message
X-Antivirus-Status: Clean
Message-ID: <[email protected]>
Newsgroups: microsoft.public.windowsxp.security_admin
NNTP-Posting-Host: cpe-24-165-178-225.midsouth.res.rr.com 24.165.178.225
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windowsxp.security_admin:184526
X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Cached credentials security in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;913485

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

------------------------------------------------------------------------

--
-­----------------

:

| All -
|
| I've read quite a few (good) documents regarding the login process for
| domain clients, but I can't find very detailed information about cached
| credentials.
|
| Sepcifically, I would like to know how long cached credentials are valid
| for. Is this dependant on the domain password policy? Is the user prompted
| that thier cached credntials are about to expire when logging in? If the
| user's cached crednetials expire, are they allowed to change those cached
| redentials?
|
| Any help is appreciated.
|
| Thanks

 

[Guest]

Vincent, Carey,

Thanks for the replies. I had found several documents citing "number of
cached domain credentials stored on the client" and "notification of logon
using cached credentials", but it's not exactly what I was going for.

I had already found the article that Carey posted (before my newsgroups
post, of course) - but this doesn't contain the information I'm after. It was
still a good read. However, consider this: A domain laptop (read; user) is
out of the country for 3 months on business. Assume a VPN or similar
connection is not available back to the parent domain. The domain password
policy sets domain account passwords to expire every 60 days. What is the
expected result of the client using cached credentials longer than the domain
password policy allows?

In the case where the password would expire, and the client is notified, the
client would not be able to change their password since the domain is not
available.

This is the type of documentation I was looking for. Not that there would be
documents specifically for "extended travel users", but I would expect to
find some documentation regarding the parameters of cahced credentials, other
than those in KB913485.

Thanks again for the good replies, I hope to hear back soon.

Thanks

Hi,

Additional informatoin:

Open Regedit.exe and go to HKEY_LOCAL_MACHINE\SECURITY\Cache You will see
NL$1,NL$2....NL$n (by default, it will be 10). This is the place where
cached credentials stored. The user name and password are hashed, we cannot
identify. Each time you logon, the credential will be cached. When the 11th
user logged on, the first cached credential will be replaced.

Hope the information helps.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

Newsgroups: microsoft.public.windowsxp.security_admin
From: (e-mail address removed) (Vincent Xu [MSFT])
Organization: Microsoft
Date: Thu, 18 May 2006 06:52:26 GMT
Subject: Re: Understanding Cached Credentials
X-Tomcat-NG: microsoft.public.windowsxp.security_admin
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi,

Thanks Carey for the greate information.

NRC, Let me know if you still have questions.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
From: "Carey Frisch [MVP]" <[email protected]>
References: <[email protected]>
Subject: Re: Understanding Cached Credentials
Date: Wed, 17 May 2006 16:17:36 -0500
Lines: 30
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-Antivirus: avast! (VPS 0620-1, 05/17/2006), Outbound message
X-Antivirus-Status: Clean
Message-ID: <[email protected]>
Newsgroups: microsoft.public.windowsxp.security_admin
NNTP-Posting-Host: cpe-24-165-178-225.midsouth.res.rr.com 24.165.178.225
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windowsxp.security_admin:184526
X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Cached credentials security in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;913485

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

------------------------------------------------------------------------ --
-­----------------

:

| All -
|
| I've read quite a few (good) documents regarding the login process for
| domain clients, but I can't find very detailed information about cached
| credentials.
|
| Sepcifically, I would like to know how long cached credentials are valid
| for. Is this dependant on the domain password policy? Is the user
prompted
| that thier cached credntials are about to expire when logging in? If the
| user's cached crednetials expire, are they allowed to change those
cached
| redentials?
|
| Any help is appreciated.
|
| Thanks

 

[Steven L Umbach]

Unfortunately I have never seen good documentation of such. If I remember
correctly from experience a user will be able to logon to their computer
with cached credentials after their domain password expires however if they
try to connect to the domain via a VPN they will get a message that their
password has expired and must change it to gain access. The built in
Microsoft VPN client using mschapv2 should allow them to change their
password at this time but I heard many third party VPN clients will not.
After doing such the user should immediately lock and then unlock their
computer to refresh their cached credentials with the new password.

What I would do is to test it out on a laptop. Have a users logon and logoff
to create cached credentials, unplug from the network to verify that they
can logon with cached credentials, then logon as the built in administrator
account and change the system clock to be well past a time where their
password would expire, reboot the computer and try to logon with the cached
credentials again to see what happens. --- Steve

 

[Vincent Xu [MSFT]]

Hi,

Please rest assured that cached credentials will not expired.

Password expiration policy in the domain will not apply to cached
credentials.

Also Cached Credentail will not expired at some point and prevent the user
logging on locally.

Thanks.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

Thread-Topic: Understanding Cached Credentials
thread-index: AcZ6dPftkFIl7ParSbajS2WHgW+MrQ==
X-WBNR-Posting-Host: 35.8.132.246
From: =?Utf-8?B?TlJDIEhlbHA=?= <[email protected]>
References: <[email protected]>

<[email protected]>

Subject: Re: Understanding Cached Credentials
Date: Thu, 18 May 2006 05:17:02 -0700
Lines: 162
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 8bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windowsxp.security_admin
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windowsxp.security_admin:184566
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Vincent, Carey,

Thanks for the replies. I had found several documents citing "number of
cached domain credentials stored on the client" and "notification of logon
using cached credentials", but it's not exactly what I was going for.

I had already found the article that Carey posted (before my newsgroups
post, of course) - but this doesn't contain the information I'm after. It was
still a good read. However, consider this: A domain laptop (read; user) is
out of the country for 3 months on business. Assume a VPN or similar
connection is not available back to the parent domain. The domain password
policy sets domain account passwords to expire every 60 days. What is the
expected result of the client using cached credentials longer than the domain
password policy allows?

In the case where the password would expire, and the client is notified, the
client would not be able to change their password since the domain is not
available.

This is the type of documentation I was looking for. Not that there would be
documents specifically for "extended travel users", but I would expect to
find some documentation regarding the parameters of cahced credentials, other
than those in KB913485.

Thanks again for the good replies, I hope to hear back soon.

Thanks

Hi,

Additional informatoin:

Open Regedit.exe and go to HKEY_LOCAL_MACHINE\SECURITY\Cache You will see
NL$1,NL$2....NL$n (by default, it will be 10). This is the place where
cached credentials stored. The user name and password are hashed, we cannot
identify. Each time you logon, the credential will be cached. When the 11th
user logged on, the first cached credential will be replaced.

Hope the information helps.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
Newsgroups: microsoft.public.windowsxp.security_admin
From: (e-mail address removed) (Vincent Xu [MSFT])
Organization: Microsoft
Date: Thu, 18 May 2006 06:52:26 GMT
Subject: Re: Understanding Cached Credentials
X-Tomcat-NG: microsoft.public.windowsxp.security_admin
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi,

Thanks Carey for the greate information.

NRC, Let me know if you still have questions.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
From: "Carey Frisch [MVP]" <[email protected]>
References: <[email protected]>
Subject: Re: Understanding Cached Credentials
Date: Wed, 17 May 2006 16:17:36 -0500
Lines: 30
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-Antivirus: avast! (VPS 0620-1, 05/17/2006), Outbound message
X-Antivirus-Status: Clean
Message-ID: <[email protected]>
Newsgroups: microsoft.public.windowsxp.security_admin
NNTP-Posting-Host: cpe-24-165-178-225.midsouth.res.rr.com 24.165.178.225
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windowsxp.security_admin:184526
X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Cached credentials security in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;913485

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/


------------------------------------------------------------------------
--
-­----------------

:

| All -
|
| I've read quite a few (good) documents regarding the login process for
| domain clients, but I can't find very detailed information about
cached
| credentials.
|
| Sepcifically, I would like to know how long cached credentials are
valid
| for. Is this dependant on the domain password policy? Is the user
prompted
| that thier cached credntials are about to expire when logging in? If
the
| user's cached crednetials expire, are they allowed to change those
cached
| redentials?
|
| Any help is appreciated.
|
| Thanks

 

[Steven L Umbach]

Thanks for verifying my findings! I suspected that a domain controller would
need to be contacted to verify password age. --- Steve

Hi,

Please rest assured that cached credentials will not expired.

Password expiration policy in the domain will not apply to cached
credentials.

Also Cached Credentail will not expired at some point and prevent the user
logging on locally.

Thanks.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

Thread-Topic: Understanding Cached Credentials
thread-index: AcZ6dPftkFIl7ParSbajS2WHgW+MrQ==
X-WBNR-Posting-Host: 35.8.132.246
From: =?Utf-8?B?TlJDIEhlbHA=?= <[email protected]>
References: <[email protected]>

<[email protected]>

Subject: Re: Understanding Cached Credentials
Date: Thu, 18 May 2006 05:17:02 -0700
Lines: 162
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 8bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windowsxp.security_admin
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windowsxp.security_admin:184566
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Vincent, Carey,

Thanks for the replies. I had found several documents citing "number of
cached domain credentials stored on the client" and "notification of logon
using cached credentials", but it's not exactly what I was going for.

I had already found the article that Carey posted (before my newsgroups
post, of course) - but this doesn't contain the information I'm after. It was
still a good read. However, consider this: A domain laptop (read; user) is
out of the country for 3 months on business. Assume a VPN or similar
connection is not available back to the parent domain. The domain password
policy sets domain account passwords to expire every 60 days. What is the
expected result of the client using cached credentials longer than the domain
password policy allows?

In the case where the password would expire, and the client is notified, the
client would not be able to change their password since the domain is not
available.

This is the type of documentation I was looking for. Not that there would be
documents specifically for "extended travel users", but I would expect to
find some documentation regarding the parameters of cahced credentials, other
than those in KB913485.

Thanks again for the good replies, I hope to hear back soon.

Thanks


:

Hi,

Additional informatoin:

Open Regedit.exe and go to HKEY_LOCAL_MACHINE\SECURITY\Cache You will see
NL$1,NL$2....NL$n (by default, it will be 10). This is the place where
cached credentials stored. The user name and password are hashed, we cannot
identify. Each time you logon, the credential will be cached. When the 11th
user logged on, the first cached credential will be replaced.

Hope the information helps.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
Newsgroups: microsoft.public.windowsxp.security_admin
From: (e-mail address removed) (Vincent Xu [MSFT])
Organization: Microsoft
Date: Thu, 18 May 2006 06:52:26 GMT
Subject: Re: Understanding Cached Credentials
X-Tomcat-NG: microsoft.public.windowsxp.security_admin
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi,

Thanks Carey for the greate information.

NRC, Let me know if you still have questions.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
From: "Carey Frisch [MVP]" <[email protected]>
References: <[email protected]>
Subject: Re: Understanding Cached Credentials
Date: Wed, 17 May 2006 16:17:36 -0500
Lines: 30
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-Antivirus: avast! (VPS 0620-1, 05/17/2006), Outbound message
X-Antivirus-Status: Clean
Message-ID: <[email protected]>
Newsgroups: microsoft.public.windowsxp.security_admin
NNTP-Posting-Host: cpe-24-165-178-225.midsouth.res.rr.com 24.165.178.225
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windowsxp.security_admin:184526
X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Cached credentials security in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;913485

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/


------------------------------------------------------------------------
--
-Ã,­----------------

:

| All -
|
| I've read quite a few (good) documents regarding the login process for
| domain clients, but I can't find very detailed information about
cached
| credentials.
|
| Sepcifically, I would like to know how long cached credentials are
valid
| for. Is this dependant on the domain password policy? Is the user
prompted
| that thier cached credntials are about to expire when logging in? If
the
| user's cached crednetials expire, are they allowed to change those
cached
| redentials?
|
| Any help is appreciated.
|
| Thanks

 

[Vincent Xu [MSFT]]

Hi,

Glad to hear the information is helpful.

Have a good day.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

NNTP-Posting-Date: Fri, 19 May 2006 14:42:24 -0500
From: "Steven L Umbach" <[email protected]>
Newsgroups: microsoft.public.windowsxp.security_admin
References: <[email protected]>

<[email protected]>
<[email protected]>
<[email protected]>

Subject: Re: Understanding Cached Credentials
Date: Fri, 19 May 2006 14:42:27 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-RFC2646: Format=Flowed; Original
Message-ID: <[email protected]>
Lines: 251
NNTP-Posting-Host: 71.201.87.159
X-Trace:

sv3-X6abSkcJnIO9W3m4YSL7yUNm7g1+g8Mw5p/tCRTehIsvi0FHmJKkCbXJeOPsrjCX2IYn4IoN
fB3ronY!3wresQIq1FZ2MAdrleha5Nv3VdVJ5m/c5Wnq25kpZCrFDlsjMhTmQ/ixvgpc8PC94Cn3
RW5N

X-Complaints-To: (e-mail address removed)
X-DMCA-Complaints-To: (e-mail address removed)
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.32
Path:

TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed00
..sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.
giganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.comcast.co
m!news.comcast.com.POSTED!not-for-mail

Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windowsxp.security_admin:184633
X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Thanks for verifying my findings! I suspected that a domain controller would
need to be contacted to verify password age. --- Steve

Hi,

Please rest assured that cached credentials will not expired.

Password expiration policy in the domain will not apply to cached
credentials.

Also Cached Credentail will not expired at some point and prevent the user
logging on locally.

Thanks.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
Thread-Topic: Understanding Cached Credentials
thread-index: AcZ6dPftkFIl7ParSbajS2WHgW+MrQ==
X-WBNR-Posting-Host: 35.8.132.246
From: =?Utf-8?B?TlJDIEhlbHA=?= <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
Subject: Re: Understanding Cached Credentials
Date: Thu, 18 May 2006 05:17:02 -0700
Lines: 162
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 8bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windowsxp.security_admin
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windowsxp.security_admin:184566
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Vincent, Carey,

Thanks for the replies. I had found several documents citing "number of
cached domain credentials stored on the client" and "notification of
logon
using cached credentials", but it's not exactly what I was going for.

I had already found the article that Carey posted (before my newsgroups
post, of course) - but this doesn't contain the information I'm after. It
was
still a good read. However, consider this: A domain laptop (read; user)
is
out of the country for 3 months on business. Assume a VPN or similar
connection is not available back to the parent domain. The domain
password
policy sets domain account passwords to expire every 60 days. What is the
expected result of the client using cached credentials longer than the
domain
password policy allows?

In the case where the password would expire, and the client is notified,
the
client would not be able to change their password since the domain is not
available.

This is the type of documentation I was looking for. Not that there would
be
documents specifically for "extended travel users", but I would expect to
find some documentation regarding the parameters of cahced credentials,
other
than those in KB913485.

Thanks again for the good replies, I hope to hear back soon.

Thanks


:

Hi,

Additional informatoin:

Open Regedit.exe and go to HKEY_LOCAL_MACHINE\SECURITY\Cache You will
see
NL$1,NL$2....NL$n (by default, it will be 10). This is the place where
cached credentials stored. The user name and password are hashed, we
cannot
identify. Each time you logon, the credential will be cached. When the
11th
user logged on, the first cached credential will be replaced.

Hope the information helps.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
Newsgroups: microsoft.public.windowsxp.security_admin
From: (e-mail address removed) (Vincent Xu [MSFT])
Organization: Microsoft
Date: Thu, 18 May 2006 06:52:26 GMT
Subject: Re: Understanding Cached Credentials
X-Tomcat-NG: microsoft.public.windowsxp.security_admin
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi,

Thanks Carey for the greate information.

NRC, Let me know if you still have questions.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
From: "Carey Frisch [MVP]" <[email protected]>
References: <[email protected]>
Subject: Re: Understanding Cached Credentials
Date: Wed, 17 May 2006 16:17:36 -0500
Lines: 30
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-Antivirus: avast! (VPS 0620-1, 05/17/2006), Outbound message
X-Antivirus-Status: Clean
Message-ID: <[email protected]>
Newsgroups: microsoft.public.windowsxp.security_admin
NNTP-Posting-Host: cpe-24-165-178-225.midsouth.res.rr.com
24.165.178.225
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windowsxp.security_admin:184526
X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Cached credentials security in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;913485

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/


--------------------------------------------------------------------- ---
--
-?­----------------

:

| All -
|
| I've read quite a few (good) documents regarding the login
process for
| domain clients, but I can't find very detailed information about
cached
| credentials.
|
| Sepcifically, I would like to know how long cached credentials
are
valid
| for. Is this dependant on the domain password policy? Is the user
prompted
| that thier cached credntials are about to expire when logging in?
If
the
| user's cached crednetials expire, are they allowed to change
those
cached
| redentials?
|
| Any help is appreciated.
|
| Thanks