locked
How long does Windows cache domain user passwords RRS feed

  • Question

  • I support a small business running Server 2003 R2 for their domain controller.  They are starting to use Windows 7 laptops and keep them out in the field for longer periods of time where the domain controller is not accessible.  I am concerned that their cached domain user passwords on the laptops are going to start expiring.  I need to let them know ahead of time so they can bring them to the office and synch them with the domain.  How long will Windows cache their passwords before they expire?  Is the time limit going to be the same after I upgrade their domain controller to 2008 R2?

    Thursday, May 5, 2011 11:22 AM

Answers

  • On Fri, 6 May 2011 04:58:38 +0000, Brent  Hu wrote:

    It is nothing to do with "cached domain user passwords". It depends on "Maximum password age" and "Maximum machine account password age" you defined in Group policy. The machine account password change is initiated by the computer?every 30 days by default. So if a computer is turned off for long time nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. However, you can change this behavior.

    No offense intended but this is completely incorrect and only serves to
    further confuse the issue.

    The OP was most definitely asking about cached credentials, which, since
    they are both Active Directory objects with passwords, affects both user
    and computer accounts, neither of which ever expire. Passwords can be made
    to expire, cached credentials never expire.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Manual Writer's Creed:  Garbage in, gospel out.

    • Proposed as answer by Vadims PodansMVP Friday, May 6, 2011 10:40 AM
    • Marked as answer by Brent Hu Tuesday, May 10, 2011 3:15 AM
    Friday, May 6, 2011 8:07 AM

All replies

  • On Thu, 5 May 2011 11:22:41 +0000, Kevin R Hawkins wrote:

    I support a small business running Server 2003 R2 for their domain controller.? They are starting to use Windows 7 laptops and keep them out in the field for longer periods of time where the domain controller is not accessible.? I am concerned that their cached domain user passwords on the laptops are going to start expiring.? I need to let them know ahead of time so they can bring them to the office and synch them with the domain.? How long will Windows cache their passwords before they expire?? Is the time limit going to be the same after I upgrade their domain controller to 2008 R2?

    Cached credentials never expire. Neither the client OS nor the OS on the
    domain controllers matter, they simply never expire.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Cursor:  An expert in four-letter words.

    Thursday, May 5, 2011 11:38 AM
  • Hi Kevin,

    It is nothing to do with "cached domain user passwords". It depends on "Maximum password age" and "Maximum machine account password age" you defined in Group policy. The machine account password change is initiated by the computer every 30 days by default. So if a computer is turned off for long time nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. However, you can change this behavior.

    Password Age for Machine Accounts do not expire
    http://blogs.msdn.com/b/john_daskalakis/archive/2010/02/01/9956266.aspx

    Machine Account Password Process
    http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

    How maximum password age is implemented
    http://support.microsoft.com/kb/236373

    OldCmp is a command line Active Directory query tool. Primarily used to find and cleanup old computer accounts that haven't been used. Can also be used to clean up user accounts when the proper filter is specified. 

    OldCmp
    http://www.joeware.net/freetools/tools/oldcmp/index.htm

    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, May 6, 2011 4:58 AM
  • On Fri, 6 May 2011 04:58:38 +0000, Brent  Hu wrote:

    It is nothing to do with "cached domain user passwords". It depends on "Maximum password age" and "Maximum machine account password age" you defined in Group policy. The machine account password change is initiated by the computer?every 30 days by default. So if a computer is turned off for long time nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. However, you can change this behavior.

    No offense intended but this is completely incorrect and only serves to
    further confuse the issue.

    The OP was most definitely asking about cached credentials, which, since
    they are both Active Directory objects with passwords, affects both user
    and computer accounts, neither of which ever expire. Passwords can be made
    to expire, cached credentials never expire.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Manual Writer's Creed:  Garbage in, gospel out.

    • Proposed as answer by Vadims PodansMVP Friday, May 6, 2011 10:40 AM
    • Marked as answer by Brent Hu Tuesday, May 10, 2011 3:15 AM
    Friday, May 6, 2011 8:07 AM
  • On Mon, 9 May 2011 05:00:16 +0000, Brent  Hu wrote:

    You?just correctly answered Kevin's question, but actually I think that the answer "Cached credentials never expire" will probably not?help him to solve his real concerns, otherwise, the?issue would not have happened.?

    There is no current issue, which is entirely the point here. You've
    completely misread/misunderstood the original post and your answer is still
    not on the topic and is confusing the issue.


    He mentioned that "/They are starting to use Windows 7 laptops and keep them out in the field for longer periods of time where the domain controller is not accessible.? I am concerned that their cached domain user passwords on the laptops are going to start expiring."

    /According to his statement and symptom,?it seems most likely to be the user/computer account password have been expired rather than cached credentials issue?he concerned. Perhaps our answer?is the same direction, but not at one point.

    He doesn't have a symptom, he is expressing a concern for what may or may
    not happen at some point in the future
    and that is he's concerned that
    computers that do not have a connection to a domain controller for a long
    period of time may have their cached credentials expire. As I said in my
    original post, cached credentials simply do not expire, period.

    It doesn't matter at all if the user or computer account passwords are
    beyond their expiry date, as long as the credentials have been cached once,
    and there is no connection to a domain controller, they will never expire.

    Our answers are not "the same direction, but not at one point". Yours has
    nothing at all to do with the original question. THERE IS NO CURRENT ISSUE.
    I really wish you'd stop confusing the OP with your non-answer.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    The next generation of computers will have a "Warranty Expired"
    interrupt.

    • Proposed as answer by benweston Wednesday, December 6, 2017 12:59 PM
    Monday, May 9, 2011 6:13 AM
  • I am having problems similar to what the OP is looking for an answer to.

    Have been using Windows 7 on laptops for Home Health nurses for about one year now.
    Users are mostly field users, may come into office once per week for patient record synchronization and system updates.
    Until about one-and-a-half weeks ago users could unlock / log-on their laptops while off the corporate network without any problem, now seeing more issues with each passing day.
    This is not affecting Windows XP users, just Windows 7. Problem has started on new - fresh-built - laptops and old laptops that have beenin service for many months.
    Running a Windows 2008R2 single forest, single domain environment.

    Reviewed other topics in the communities; no suggestions correct issue.
    Have verified "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"; still '10 logons'
    Have verified "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | CachedLogonsCount"; still '10'
    Have verified "Interactive logon: Require Domain Controller authentication to unlock"; still 'Disabled'
    Have deleted user's local profile to force new creation.
    Ran GPRESULT; everything is clean.

    Since this is now affecting nurses ability to review and document patient charts it is getting some unwelcome, but understandable, attention from administration.

    I have seen other posts where the moderators are suggesting it is a server problem and should be addressed in WINDOWSSERVER forums. I would have to disagree, as this is clearly a client problem.

    I'm hoping someone may have a working solution to this so we can prevent this from spreading from the seven or eight users affected to the 100+ that are still OK.

    Thanks in advance for any help.


    Frank Boyd

    Monday, November 26, 2012 9:59 PM