Is it possible to centrally enforce caching of Windows domain passwords on users' machines?

A

Alex Bond2022-02-11 16:20:47

Active Directory

Alex Bond, 2022-02-11 16:20:47

The bottom line: many users take their work computers home during the pandemic.
If there is a problem with vpn and, accordingly, communication with the DC is lost, you can do something on this machine only with a cached admin password (not everything is possible with a local admin).

So the question is whether it is possible to make a cache of all or some admin passwords on local machines centrally, using AD, PS or others.

An alternative solution would also be in place.

Thanks in advance for the replies. I hope I didn’t really disturb the god BAYAN.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

rPman, 2022-02-11
@rPman

try from a machine where there is already a cached entry, copy the registry key HKLM/SECURITY/Cache/NL$xxxx
well, almost the first link in Google to dump domain cached credential

F

fpir, 2022-02-17
@fpir

The policy "Interactive logon: number of previous cache connections (in case of no access to the domain controller)" is responsible for password caching, the value, despite the description, is the number of last domain users who logged on to this machine. Because a specific machine usually includes 1-2 users and an admin (in another case, several admins), then a value of 3-5 is guaranteed to add domain admins to the cache (if they ever logged into this machine at all). That is, to connect to the office computer at the user's home - set the policy (by default, like, 5), say, 10, go under your account and give the computer.
Or did I not understand something?