Will cached domain credentials stay working if machine never re-connects to domain?

11,394

My experience is the same as what others have said - if you have a PC with cached credentials and it can't connect to a Domain Controller, those credentials don't expire.

But...

An exception could be if they set a security policy to disable or limit credential caching. The default is to cache 10 sets of credentials, but this could be overridden. If it was set to 0, then they wouldn't be able to use cached credentials, or if it was set to a low #, e.g. 2, then only the last 2 accounts to log in would have their credentials cached.

And as one of the comments said, whoever is providing support to this company should use one of the many tools or tutorials to create a local admin account with a known password. By default, the Administrator account is only accessible in Safe Mode and is blank, so they could try that if they haven't already (although getting to safe mode in Win8 requires a tutorial of its own...).

Share:
11,394

Related videos on Youtube

Alex Chance
Author by

Alex Chance

Updated on September 18, 2022

Comments

  • Alex Chance
    Alex Chance over 1 year

    I have researched this thoroughly, and cannot find the answer I am looking for.

    A company I recently left is going through a bankruptcy. They have already auctioned off most the IT equipment, including the server that was the domain controller. However, they still have the client workstations set up in the office. These computers have no network access and will not be able to reach the domain controller, but still belong to the domain. There are not local accounts set up aside from the local administrator account, and they do not know the password. They are wanting to know if they can still log in and access local files, quickbooks, etc...

    Would someone still be able to log in using the last cached domain credentials? If so, is there a limit on how long those credentials will stay working?

    The client workstations are running Windows 7 Pro, or Windows 8.1 Pro. The server that was once there, was running Active Directory 2008, not sure if that matters.

    Thanks for the help.

  • joeqwerty
    joeqwerty about 8 years
    Your problem will be the machine account password - this is refreshed periodicaly when the computer connects to the domain controler. If this password was not changed for over 30 days (default value), domain accounts - even with cached credentials - won't be able to login - That's not technically accurate. If the DC is no longer running and is not contactable by the computers then the users will continue to be able to log on with cached credentials. - blogs.technet.microsoft.com/askds/2009/02/15/…
  • Alex Chance
    Alex Chance about 8 years
    Yeah I knew there were tools available for resetting the local admin password if it comes to that. I used to work in the IT department for them, but they currently don't have any IT staff or anybody that is technologically sound. I was trying my best to just give them advice and guide them without having to get my hands dirty.
  • Alex Chance
    Alex Chance about 8 years
    I told him to see if his cached credentials would work, and if they did to create a local account. He doesn't even know how to set up a local account, but I can probably guide him through it. I also wonder if the group policies that were in place are still in affect? Guess I can post another question in regards to that.
  • Alex Chance
    Alex Chance about 8 years
    Thank you. The server is no longer on site, they were just trying to get access to the workstations that were still there. There are likely some workstations that this particular user had never logged into, and basically all the employees are gone already, so the best option would probably be to just reset the local admin.
  • Alex Chance
    Alex Chance about 8 years
    Yes, the DC is no longer running. It has already been removed from the site. They have also gutted all the network equipment, but the workstations were left there. I'm guessing he is just wanting to try to pull any data they may have been left on the machines. I suggested just pulling the hard drives if they would allow him to do that. Bankruptcy attorney is trying to ensure he can gather up as much data just in case some is needed in the future.